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Our mission, goal and vision 


Mission 

The Information Commissioner's Office’s (ICO's) 
mission is to uphold information rights in the public 
interest, promoting openness by public bodies and 
data privacy for individuals. 


Goal 
The ICO's goal is to achieve a society in which: 


e All organisations which collect and use personal 
information do so responsibly, securely and fairly. 


e All public authorities are open and transparent, 
providing people with access to official information 
as a matter of course. 


e People are aware of their information rights and are 
confident in using them. 


e People understand how their personal information is 
used and are able to take steps to protect themselves 
from its misuse. 

Vision 

To be recognised by our stakeholders as the 

authoritative arbiter of information rights, 

delivering high-quality, relevant and timely outcomes, 

responsive and outward-looking in our approach, 

and with committed and high-performing staff — 

a model of good regulation and a great place to work 

and develop. 
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The legislation we regulate 


The Data Protection Act 1998 (DPA) gives citizens important rights 
including the right to know what information is held about them and the 
right to correct information that is wrong. The DPA helps to protect the 
interests of individuals by obliging organisations to manage the personal 
information they hold in an appropriate way. 


The Freedom of Information Act 2000 (FOIA) gives people a general 
right of access to information held by most public authorities. Aimed at 
promoting a culture of openness and accountability across the public 
sector, it enables a better understanding of how public authorities carry 
out their duties, why they make the decisions they do and how they 
spend public money. 


The Privacy and Electronic Communications Regulations 2003 (PECR) 
support the DPA by regulating the use of electronic communications for the 
purpose of unsolicited marketing to individuals and organisations, including 
the use of cookies. 


The Environmental Information Regulations 2004 (EIR) provide an 
additional means of access to environmental information. The Regulations 
cover more organisations than FOIA, including some private sector bodies, 
and have fewer exceptions. 


The Infrastructure for Spatial Information in the European 
Community Regulations 2009 (INSPIRE) gives the Information 
Commissioner enforcement powers in relation to the pro-active provision 
by public authorities of geographical or location based information. 


The Data Retention Regulations 2014 (DRR) provides the Information 
Commissioner with a limited supervisory role under the Data Retention 
and Investigatory Powers Act 2014 (DRIPA). The DRIPA and DRR impose 
duties on communications service providers around the retention of 
communications data for third party investigatory purposes where they have 
been issued with a notice from the Secretary of State. Under the DRR the 
Information Commissioner has a duty to audit the security, integrity and 
destruction of that retained data. 


The Re-use of Public Sector Information Regulations 2015 (RPSI) 
gives the public the right to request the re-use of public sector information. 
They also set out the rules as to how public sector bodies can charge for 
re-use and licence the information. The ICO deals with complaints about 
how public sector bodies have dealt with requests to re-use information. 
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Information Commissioner's foreword 


This Annual Report, my last as Information Commissioner, describes a 

year of real achievement - delivering on our objectives, responding to new 
challenges, and preparing for big changes, particularly in the data protection 
and privacy field. 


We have focused clearly on the goals we set out in our corporate plan - and 
I think we can fairly claim to be able to show real progress. For example, in 
the 12 months since a change in the rules on nuisance marketing made it 
easier for the Information Commissioner to impose monetary penalties, we 
were able to take effective action against more of the organisations behind 
millions of illegal calls, hitting them with fines totalling more than £2 million. 


As well as working to deliver on our planned goals, the ICO has had to 
respond effectively to the unexpected. Big data breaches such as that at 
Talk Talk. Acting on newspaper allegations about charity fundraising methods 
that breached data protection and privacy law. Taking part in the debate 

on surveillance and security and the Investigatory Powers Bill. And, in its 
responses following the Schrems Judgment, with all the implications for 
transatlantic data flows, the ICO’s influential counsel has helped to avert 

a meltdown. Much more over the following pages. 


Applying FOIA remains an important aspect of the ICO’s work and we 
engaged actively with the work of the Burns Commission, appointed to 
review the experience of the Act after 10 years in operation. We provided 
detailed and objective evidence and welcomed the conclusion of the 
independent review that, by and large, the legislation is working well. 


As a leading member of the Article 29 Working Party of EU data protection 
authorities, the ICO has been preparing for the new data protection 
framework that takes effect across the EU from May 2018. However, 

we now need to consider the impact of the referendum on UK data protection 
regulation. It is very much the case that the UK has a history of providing 
legal protection to consumers around their personal data which precedes 
EU legislation by more than a decade, and goes beyond current 

EU requirements. 


I am glad to say that the ICO has not been standing still in terms of how 
best to deliver our services. Like all public bodies we have had to find 
efficiencies. At the same time, we have found new ways of delivering for 
customers and stakeholders. We have delivered more opportunities for data 
controllers and data subjects to learn about rights and responsibilities — 
with improvements to our website, top marks for our helpline, more on-the- 
spot conferences, informative blogs, webinars, and our highly successful 
compliance toolkit for small and medium sized enterprises (SMEs). 
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Machinery of government changes following the General Election last year 
saw responsibility for the Whitehall sponsorship of the ICO shift from the 
Ministry of Justice (MOJ) to the Department for Culture Media and Sport 
(DCMS) with its responsibilities for all things digital. At the same time, policy 
responsibility for freedom of information moved from MOJ to the Cabinet 
Office. The sponsorship team moved from MOJ to DCMS and we are glad to 
be working alongside the same Whitehall people who understand information 
rights and what the independent ICO does. Changes that might have been 
disruptive have in fact gone well. 


The credit for another year of high performance is shared by staff at every 
level of the organisation and I should like to thank everyone at the ICO for 
what they have done to contribute to this result. 


As Commissioner, I have been supported and encouraged throughout 

by the members of my Management Board, both non-executive and 
executive colleagues. Andrew Hind left the Board on 31 August 2015 on 
his appointment as chair of the Fundraising Standards Board. David Smith 
retired after over 25 years at the ICO and Graham Smith was appointed 
to a role with the European Ombudsman in Brussels. 


Losing the experience of two Deputy Commissioners at the very point 

at which the ICO needed to adapt for the demands of the new EU data 
protection framework was a challenge we met head on. I designated the 
ICO's Deputy Chief Executive Simon Entwisle as Deputy Commissioner and 
formed a Senior Management Team of departmental heads to carry forward 
the work of the former Executive Team and to ensure the smoothest possible 
handover to my successor. 


There has been universal approval for the news that Elizabeth Denham, 
Information and Privacy Commissioner for British Columbia since 2010, is to 
be the new UK Information Commissioner, serving for the next five years. 
As Deputy Commissioner, Simon Entwisle is authorised to cover any brief 
vacancy between the end of my second term as Information Commissioner 
and the arrival of Elizabeth Denham in a very few weeks’ time. 


After seven exciting and eventful years as Information Commissioner, I am 
confident that I am handing to my successor an organisation that is in good 
shape and good heart - and ready for the changes and challenges ahead. It 
has been an honour and a privilege to serve in the role at such an interesting 
and demanding time for information rights. That the ICO has been able 

to point the way ahead while keeping on top of a growing and demanding 
caseload is to the credit of the expert and dedicated team which it has been 
my delight to lead and to represent. 


Christopher Graham 
23 June 2016 
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Our aims 


The ICO has identified the following six objectives, achievement against 
which will enable us to achieve our strategic outcomes. 


1. Organisations better understand their information rights obligations. 


2. Enforcement powers are used proportionately to ensure improved 
information rights compliance. 


3. Customers receive a proportionate, fair and efficient response to 
their information rights concerns. 


4. Individuals are empowered to use their information rights. 


5. The ICO is alert and responsive to changes which impact on 
information rights. 


6. An efficient ICO well prepared for the future. 
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Our year at a glance 


April 2015 


The law was changed to 
remove the requirement 
that we had to prove 
substantial damage 

or substantial distress 
before issuing civil 
monetary penalties 

for unsolicited direct 
marketing messages 
and telephone calls. 

We prosecuted Lismore 
Recruitment Ltd for 
failing to notify with the 
ICO, and a caution was 
given to an employee of 
China Bridge Group (UK) 
for a criminal breach of 
section 55 of the DPA. 


May 2015 


Following the loss of 
evidence in a sexual 
abuse case we issued a 
civil monetary penalty 
of £160,000 to South 
Wales Police. 


June 2015 


We issued enforcement 
notices against Money 
Help Marketing Ltd, 
Preferred Pensions LLP 
and Advanced VOIP 
Ltd to require future 
compliance with PECR. 
We issued a caution 

to a member of staff 
employed by Lloyds 
Banking Group for 

a criminal breach of 
section 55 of the DPA. 


July 2015 


The ICO took on 
responsibility for 
handling complaints 
under the RPSI 
Regulations. 


August 2015 


The Commissioner gave 
evidence to Sir Stuart 
Etherington's review 

of charity fundraising 
and the Public 
Administration and 
Constitutional Affairs 
Committee inquiry. 

We prosecuted 
Consumer Claims 
Solutions Ltd for failing 
to register with the ICO, 
and we issued a civil 
monetary penalty of 
£180,000 to the Money 
Shop after the loss 

of computer servers 
holding details of several 
thousand customers. 


September 2015 


We issued our largest 
(then) civil monetary 
penalty of £200,000, 
for automated 
marketing calls, 
against Home 

Energy and Lifestyle 
Management Ltd. 
They made over six 
million calls. 


October 2015 


Pharmacy 2U Ltd had 
to pay a civil monetary 
penalty of £130,000. 
To help the international 
coordination of 
enforcement activities 
we, and 10 other 
authorities, signed the 
Global Cross Border 
Enforcement Cooperation 
Arrangement. 
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November 2015 


We issued our first 
caution for a criminal 
breach of section 

56 of the DPA on 
enforced subject 
access. We also issued 
enforcement notices 
against Nuisance Call 
Blocker Ltd and Telecom 
Protection Service 

Ltd, as well as civil 
monetary penalties 

of £170,000. 

The Crown Prosecution 
Service received a civil 
monetary penalty of 
£200,000 following the 
theft of laptops. Aston 
James Consulting was 
fined £1,430 for failing 
to comply with an 
enforcement notice. 


December 2015 


Telegraph Media Group 
Ltd was issued with a 
civil monetary penalty 
of £30,000 for sending 
unsolicited emails. We 
also issued Bloomsbury 
Patient Network a 
penalty of £250 for 
failing to protect the 
privacy of individuals. 
We prosecuted two 
people under section 
55 of the DPA for 
unlawfully obtaining 
personal data; one 
was fined £300 and 
the other £1,000. 


January 2016 


We launched our 

new data protection 
self-assessment tool 
for SMEs. 
Commissioner gave 
evidence to the Joint Bill 
Committee considering 
the Investigatory 
Powers Bill and the 
Culture Media and 
Sport Committee 

for its inquiry into 
cyber security. 

We prosecuted RFF 
Services (UK) for failing 
to comply with an 
enforcement notice; 
they were fined £200. 
And an individual 

was fined £1,000 for 
unlawfully obtaining and 
disclosing personal data. 


February 2016 


We published guidance 
on encryption and on 
how organisations 
should approach 
international transfers 
in light on the European 
Court of Justice ruling 
in the case of Schrems. 
We issued our largest 
civil monetary penalty 
of £350,000 to ProDial 
Ltd, and one of £70,000 
to Direct Security 
Marketing Ltd for a 
series of frightening 
automated calls sent in 
the middle of the night. 
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March 2016 


We launched our 
microsite on the EU 
data protection reforms, 
setting out 12 key steps 
organisations should 
take now to prepare for 
the changes. 

We held two successful 
conferences for over 
1,000 data protection 
practitioners and 
freedom of information 
practitioners 
respectively, and 
hosted the International 
Enforcement Co- 
ordination conference. 
Three more companies 
received civil monetary 
penalties taking 

the annual total for 
unsolicited marketing 
calls to nearly 

£2 million pounds. 

An individual was 
issued a civil monetary 
penalty of £5,000 for 
automated calls. I & K 
Prestige Food Ltd was 
prosecuted for failing 

to register with the ICO 
and was fined £200. 
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Key issues and risks 


Risks are regularly refreshed by senior managers with a major review 
each spring. The risk register is also discussed at Management Board, 
Audit Committee and at quarterly meetings with the ICO’s sponsoring 
department, DCMS. 


The main risks identified during the 2015-16 year related to: 


e uncertainty over income (both registration fee and grant in aid); 

e removal of the duty to notify under the EU data protection reforms; 
e staff engagement; 

e implementation of information technology projects; 

e political uncertainty; 


e managing change (from the EU data protection reforms and changes 
in senior management); and 


e identifying emerging information rights issues. 

Given a three year financial settlement for grant in aid from the DCMS and 
increases in data protection registration fee income, many of the short term 
financial risks have been removed. Therefore the main areas of uncertainty 
for the future relate to: 

e political uncertainty; 


e managing change arising from the EU referendum result and from 
changes in ICO senior management; and 


e being able to accurately identify emerging information rights issues. 
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Going concern 


The accounts continue to be prepared on a going concern basis as a 
non-trading entity continuing to provide statutory public sector services. 


Whilst there will be an impact on data protection regulation from the 

EU referendum result, the current data protection regulatory regime was 

to remain in place until EU data protection reforms were implemented in 
May 2018. This means that for the next financial year at least there are not 
expected to be any major changes in UK data protection regulation and the 
role of the ICO. 


Grant in aid has already been included in the DCMS's estimate for 2016-17, 
and there is no reason to believe that future sponsorship and parliamentary 
approval will not be forthcoming. 
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Analysis: 
Introduction 


Context 


During 2015-16 the ICO took on responsibility for handling complaints under 
the RPSI regulations. There have been no other substantive changes to the 
ICO's duties and objectives during the year. 


Achievement of the ICO's six aims is directly supported by actions detailed 
in the ICO Plan 2015-2018. Performance against the Plan is monitored 
quarterly by the Management Board. A report on performance is prepared 
by relevant managers, where possible based on statistics from our casework 
management system. Performance in other areas can be more subjective 
and is subject to challenge at Management Board. 


Operational performance 


This year saw an increase in data protection concerns brought to us with 
over 16,300 cases. We resolved more cases than ever before, closing over 
15,700 during 2015-16 with over 90% of cases concluded within three 
months. In the majority of cases we have identified actions that we expect 
organisations to take. 


Complaints about access to information from public authorities, primarily 
under FOIA, have also increased. We received over 5,100 complaints and 
closed 5,068 during the year. Over 70% of complaints resulted in a decision 
within three months and over 90% of cases were concluded within six 
months. We issued 1,376 decision notices; a record number. There were 275 
appeals (including nine remittals) to the Information Tribunal. We dealt with 
257 and successfully defended over 80% of our decisions. 


Our Helpline received 204,700 calls during the year; a similar number 
to the previous year. Half of the calls were from the public and half from 
organisations we regulate with many of the latter calls from SMEs. 80% 
of calls related to data protection, 15% to PECR and 4% to freedom of 
information issues. 


We conducted independent research to measure levels of satisfaction 
with the service. When asked how helpful the service was, 95% of callers 
described it as helpful or very helpful. 


Nine out of ten enquiries were dealt with by our first point of contact with 
the caller. 5% of enquiries were sent to us in error. 
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Financial performance 


Grant in aid 
Freedom of information expenditure continued to be funded by grant in aid. 
The grant in aid for 2015-16 was £3,750k (2014-15: £3,700k). 


No grant in aid was carried forward in 2015-16 (2014-15: nil). 


Fees 

Data protection activities are financed by fees collected from data controllers 
who have to notify their processing of personal data under the DPA. 

The annual fee is £35, unchanged from its introduction in 2000. It applies 

to charities and small organisations with fewer than 250 employees. 

In 2009 a higher fee of £500 was introduced for larger data controllers 
defined as those with an annual turnover of £25.9 million or more and 
employing more than 250 people. For public authorities employing more 
than 250 people the fee is also £500. 


Fees collected in the year totalled £18,311k (2014-15: £17,519k); 

a 4.5% increase on the previous year. We identified sectors which were 
under represented on the register of data controllers and contacted 
organisations we thought ought to be registered. We also followed up lapsed 
registrations from data controllers in these same sectors. These initiatives 
led to between 2,750 to 3,000 additional data controllers joining the register 
during the year. 


The ICO is allowed to carry forward into the following financial year such 
funds as are necessary to meet any liabilities arising in the preceding 
financial year, such as creditors. An amount of £1,742k (2014-15: £1,753k) 
has been carried forward into 2016-17, as was an additional amount of 
£158k (2015-16: £953k) as uncleared cash in transit which was not available 
for spend. 


Annual expenditure 
The total comprehensive expenditure for the year was £5,056k 
(2014-15: £3,896k). 


Financial instruments 
Details of our approach and exposure to financial risk are set out in note 8 
to the financial statements. 
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Achievement against our aims: 
1. Organisations better understand their 
information rights obligations 


Monitoring and acting proactively 


We monitored the direct marketing activities of 26 organisations. 
Over 80% showed an improvement in complaint volumes or compliance. 


We also wrote to more than 60 organisations to remind them of their 
obligations under PECR in the use of cookies, and published a quarterly 
report on data security incidents that were reported to us. 


Audits, advisory visits and workshops 
We delivered: 


e 35 audits providing advice and recommendations; 

e 17 information risk reviews; 

e 36 follow-up audits (checking recommendations are followed); and 
e 77 advisory visits to SMEs. 


We facilitated workshops for local medical councils, with over 1,000 
attendees, and worked with parish councils and the Victims Services Alliance 
to promote good information rights practices. 


The ICO also completed a number of audits it is required to do. This included 
auditing the Schengen Information System and the Home Office Technology 
- Police Live Services. 


Focusing on specific sectors 


We delivered a programme aimed at improving information governance in 
Ambulance Trusts including an audit, two advisory visits, online surveys and 
a “train the trainer” session run by the National Archives. 


We worked closely with residential sales and letting agents, undertaking a 
series of visits and running an online survey with the National Association of 
Estate Agents and the Association of Residential Lettering Agents. This work 
resulted in publication of a report in January 2016 which identified areas for 
improvement across the sector. 


As well as working with established sectors we also focused on emerging 
issues in information rights, such as the move to integrated health and social 
care. This will continue to be an area we focus on. 


We also made it clear to insurers that using subject access rights to obtain 
a person's entire medical record was unacceptable. In some cases insurers 
need medical information to make decisions, but this has to be done in a 
way that respects individuals” rights. 
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Focusing on specific issues 


Both before the General Election in May 2015, and the EU referendum, 
we provided advice to political parties on data protection and electronic 
marketing rules relating to political campaigning. We also engaged with 
the Cabinet Office on individual electoral registration and the uses of the 
full and open electoral registers. 


We provided advice to the Independent Inquiry into Child Sexual Abuse on 
data protection issues arising from the Inquiry's letter to more than 240 
organisations, making it clear that the continued preservation of data was 
necessary and did not contravene the DPA. 


Self-assessment toolkit 


A major achievement has been the launch of the self-assessment tool kit in 
January. This online tool, aimed at SMEs, allows businesses easily to assess 
their compliance with data protection regulation. We will continue to develop 
this tool. 


Guidance 
We published a range of guidance to help organisations including: 


e updated guidance on direct marketing; 
e new guidance on the RPSI; 
e refreshed guidance on FOIA and EIR; and 


e interim guidance on international transfers following the Schrems 
judgment of the Court of Justice of the EU. 


Helpline services 


As the year drew to a close we introduced a new “live chat” service to our 
website to allow customers to chat with our helpline staff online. We are 
monitoring its usage and effectiveness. 
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2. Enforcement powers are used 
proportionately to ensure improved 
information rights compliance 


PECR work 


Following changes made in April 2015 to the threshold at which we could 
take action, we issued 17 civil monetary penalties under PECR totalling 
£1,985,000 to organisations pursuing a range of unlawful marketing 
activities; more penalties for nuisance calls than ever before. 


Our enforcement work also included a penalty of £130,000 for a fair 
processing breach of the DPA after Pharmacy 2U Ltd sold details of over 
20,000 customers to a list marketing company. This was the first time we 
had issued a civil monetary penalty for this type of breach. 


Three mandatory fines were paid under PECR where communications 
service providers failed to report personal data breaches within the 
required timescales. We also served nine enforcement notices on a 
range of marketing organisations to ensure they followed the law. 


In November 2015 we undertook a week of action with the Claims 
Management Regulator attending audits of several claims management 
companies, and writing to more than 1,000 lead generation companies 
to check their compliance with the law. 


The right to be forgotten 


We issued an enforcement notice to Google Inc. requiring it to remove nine 
search results about an individual under the right to be forgotten. Google 
Inc. removed the links from European versions of its search engine, however 
the Commissioner ruled that Google Inc. should also remove the links from 
all versions of its search engine that were accessible from within the UK. 
Google Inc. initially appealed this decision, but then agreed to remove the 
results. Additionally during the year we issued three preliminary enforcement 
notices about delisting which Google Inc. complied with. 


Operation Spruce 


Operation Spruce is a criminal investigation into alleged breaches of section 
55 of the DPA by corporate clients believed responsible for tasking private 
investigators to unlawfully obtain personal data. The ICO launched the 
investigation in September 2013 following a referral from the National Crime 
Agency (NCA) after the conviction of four private investigators. The NCA 
continues to provide support. The first file was submitted for a decision on 
whether or not to prosecute in November 2015. Investigations into nine 
other clients are ongoing with further files expected to be submitted over 
the coming months. 
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Enforced subject access 


Section 56 of the DPA relates to enforced subject access. This is where 

a third party gets information from an individual (in connection with 
prospective or current employment or for the provision of goods and 
services) by asking that individual to make a subject access request under 
the DPA. In March 2015 breaching section 56 became a criminal offence, and 
in November we finished our first criminal investigation which resulted in the 
ICO issuing a caution. 


Other enforcement action 


During the year the Daily Mail reported on the activities of some charities 
which suggested possible contraventions of both the DPA and PECR. 

We monitored three charities, the RNIB, Christian Aid and Greenpeace, 
for improvements. In two other cases we found no evidence of serious 
contraventions and we agreed best practice undertakings with the British 
Red Cross and Age International. 


In respect of prosecutions we secured: 


e eight section 17 prosecutions for non-notification offences; 


e three section 47 prosecutions secured for failing to respond to an 
information notice; and 


e three section 55 prosecutions for unlawfully obtaining data. 


In addition three cautions were issued; two of these for section 55 offences 
and one for a section 56 offence. 


Nuisance Call Blocker Ltd was fined £2,500 for failing to respond to an 
information notice we had issued during the course of an investigation into 
the company’s compliance with PECR. 


We issued a further four civil monetary penalties under the DPA totalling 
£550,250 to Bloomsbury Patient Network, The Crown Prosecution Service, 
The Money Shop and South Wales Police. 


In addition to the enforcement notice issued to Google, we served six 
further enforcement notices to improve compliance with the DPA and one 
under the FOIA. 
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3. Customers receive a proportionate, 
fair and efficient response to their 
information rights concerns 


Data protection issues 


More than 370 people sought our help after search engines refused to 
remove results about them under the right to be forgotten. About a third 
of these contacts related to criminal convictions. In a third of the cases 
we required the search engines to remove results. We have not required 
removal where search results relate to recent or serious convictions. 


Under the DPA people can ask the police for their DNA, fingerprints and 
Police National Computer records to be deleted. We considered a complaint 
from an individual who had a request for deletion of an arrest record 
refused. As the record would remain until the individual was 100 years old 
we considered that the refusal was disproportionate. We are working with 
the police who have agreed to review retention periods for criminal records. 


Improving practice in organisations 


Examples where issues raised with us have resulted in improvements to 
information rights practice are: 


e We worked closely with the London Borough of Southwark to improve 
their subject access request response times. 


e City Islington College has introduced new internal guidance and a 
centralised tracker to ensure they deal with subject access requests 
within 40 days. 


e The University of Glasgow sent a mass email which inadvertently shared 
personal information. They now train all staff on the DPA. 


e Aworker for Guide Dogs for the Blind Association left details of a donor 
on a park bench. The Association has now confirmed that they will give 
refresher training to all fundraising teams. 


Other issues 


e There were a large number of incidents reported to us about emergency 
contact information in schools. We will remind schools of the need to 
ensure that such information is kept secure. 


e We saw a steady increase in concerns about CCTV, and in particular about 
audio recording. Our view is that audio should only be used in limited 
circumstances and we told a national haulage company to remove audio 
recording from 5,000 vehicles. 


e We worked with the Pensions Ombudsman following concerns that their 
published decisions included personal data. This had been done to give 
transparency to their decision making. We helped the Ombudsman 
achieve a balance between privacy and transparency. 
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Freedom of information monitoring 


This year we have taken a different approach to our monitoring of 
compliance with FOIA, taking greater account of intelligence arising from 
casework and making more use of our tasking and co-ordinating groups. This 
has resulted in increased informal monitoring and our giving more support to 
organisations to help them improve their performance. 


We still undertake more formal monitoring, including of government 
departments, councils and a police force. In Northern Ireland we asked all 
departments to provide their latest freedom of information performance 
statistics. This allowed us to assess compliance and to identify long- 
outstanding requests in order to get them cleared. However, we did have to 
resort to our regulatory powers and in June served an enforcement notice 
on the Department of Finance and Personnel Northern Ireland, requiring it 
to respond to four significantly overdue requests. 


We also continue to work closely with the Metropolitan Police Service, 
reviewing their progress against the performance improvement plan. 


Appeals to the Information Tribunal 
There were 275 appeals against ICO decisions to the Information Tribunal. 


Cases of note included: 


e In relation to local authority charges for information on property search 
forms, the Court of Justice of the European Union found that the staff 
time spent by a public authority answering individual requests could be 
included in a charge. 


e The Supreme Court dismissed the Attorney General's appeal against 
the Court of Appeal's decision that his certificate vetoing disclosure 
of correspondence between the HRH Prince of Wales and government 
departments was unlawful. 


e The Commissioner found that the Royal Household and the Sovereign are 
not public authorities for the purposes of EIR. The Upper Tribunal agreed. 


e The Commissioner appealed the First-tier Tribunal's decision ordering 
him to disclose the names of some of the journalists who had instructed 
private investigators involved in the illegal trade of personal information. 
The First-tier Tribunal had found that this information was not exempt 
from disclosure under section 40(2) of FOIA. On appeal the Upper 
Tribunal found against the Commissioner and upheld the First-tier 
Tribunal's decision. 
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4. Individuals are empowered to 
use their information rights 


Bulk subject access requests 


We advised Her Majesty's Revenue and Customs and the Ministry of Defence 
about the importance of upholding information rights when dealing with high 
volumes of subject access requests. These requests related to compensation 
claims for health conditions. 


Patient objections to use of their data 


Patients were offered the opportunity to object to the Health and Social 
Care Information Centre (HSCIC) sharing their personal data with other 
organisations. This option was provided through household leaflet 
drops made during preparations to launch the Care.data programme 
(currently paused given concerns over the process). 


Some patients told their GP that they objected to having their data shared. 
However, despite these objections data sharing has taken place. We have 
secured a legal undertaking from HSCIC to put measures in place to better 
respect patient objections. 


National Data Guardian consent review 


The Secretary of State for Health commissioned the National Data Guardian 
to review and produce a report detailing whether the NHS should offer 
patients an opt out from their data being used for purposes other than direct 
care. We took part in the review panel and helped ensure that any approach 
to consent complied with current and planned changes to data protection 
laws. 


Alerting people to cyber threats 

We have used blogs to highlight new and emerging technology issues, 
such as: 

e how websites leak data; and 

e the implications of the Ashley Maddison hack. 
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5. The ICO is alert and responsive 
to changes which impact on 
information rights 


Global Privacy Enforcement Network Privacy Sweep 


We jointly led the third Global Privacy Enforcement Network Privacy Sweep 
which saw 29 data protection regulators looking at 1,494 websites and apps 
targeted at children. We found that 67% of the sites and apps collected 
children’s personal information, with only 31% having effective controls in 
place. We are following up this work with UK sites and apps. 


Data sharing 


We have participated in the Cabinet Office's data sharing open policy 
making process. This work resulted in a consultation on making better 

use of government data and legislative proposals for data sharing. We 
provided formal responses to government consultations on this, on proposed 
regulations relating to arrangements for individual electoral registration and 
on extending data gathering powers and improving tax transparency 

to tackle the hidden economy and tax avoidance. 


Cyber security 


Following the Talk Talk security breach the Culture, Media and Sport 

Parliamentary Committee held an inquiry into cyber security and the 
protection of personal data online. We provided written evidence and 
renewed our call for the option of custodial sentences for section 55 

DPA offences. The Commissioner appeared before the Committee to 

give evidence. 


Investigatory powers legislation 


We provided evidence to the Joint Committee on the Draft Investigatory 
Powers Bill and have followed this up with written evidence to the Public 
Bill Committee. 


The Commissioner’s duties to audit the integrity, security and destruction of 
retained communications data under DRIPA are carried forward to the Bill. 
We have continued to express concerns about the Commissioner’s statutory 
powers to undertake these duties (notably, the lack of powers to require 
co-operation from telecommunications operators whom we are required to 
audit); the methods for retaining communications data and the extent of 
access to internet connection records; access to bulk personal data datasets; 
the possible circumvention or disabling of encryption; and the relaxation of 
requirements on telecommunications operators to report data breaches to 
the ICO. 


This last measure is aimed at reducing any dual reporting of security 
breaches, both to the new Investigatory Powers Commissioner and the ICO. 
The proposed legislative solution will call into question the UK’s adherence 
with the current Privacy and Electronic Communications Directive and the 
new data protection framework. 


We also provided a detailed business case to government explaining how 
communications data is vital to our own enforcement role. 
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Competition investigation remedies — switching supplier 


We provided evidence to the Competition and Markets Authority during its 
investigations into the energy industry and retail banking. The proposed 
remedies included sending marketing to consumers and prompting them 
to change their supplier. 


Tracking technological developments 

We tracked technological developments with an impact on information rights 
and in the last year published new or updated guidance on: 

e using encryption; 

e safely removing personal data from information requests and datasets; 

e IT security guidance for small business; and 

e Wi-Fi location analytics. 

We have also been active members of international forums on technology 
issues related to information rights such as: 

e Article 29 Technology Subgroup (as Chair); 


e International Working Group on Data Protection in Telecommunications; 
and 


e the Internet Privacy Engineering Network. 


International liaison 


The ICO hosted the annual conference of the European Data Protection 
Authorities in May 2015. The theme was data protection in practice. 


In March the ICO hosted the Annual International Enforcement Event. 
More than 30 delegates from over 20 authorities around the world 
participated in a series of workshops and discussion sessions to further 
practitioners’ understanding of how to make international enforcement 
cooperation work in the privacy regulatory community. 
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6. An efficient ICO well prepared 
for the future 


Inspection of the ICO 


An inspection of the ICO by the Office of Surveillance Commissioners took place 
in December 2015. The inspection reported a satisfactory level of compliance 
within the ICO. We will be taking forward the recommendations made. 


Electronic Identification and Trust Services (eIDAS) Regulations 


We agreed with the Department for Business, Innovation and Skills to 
become the UK supervisory authority for the provision of trust services under 
these Regulations, subject to parliamentary approval. 


Answering requests for information made to us 


We received an increased number of requests for information made to us in 
our capacity as a data controller and public authority. We aim to deal with 
95% of these requests within the statutory timescales which we managed to 
do this year. We also saw a small reduction in the number of times we were 
asked to review our decision. Where this happened our original decision was 
upheld in all cases. 


A new look disclosure log was launched on our website in line with our 
commitment to proactively publish as much information as possible about 
our work. 


Information technology 


Increased mobile working capability was introduced for staff who are 
frequently out of the office. We also began three major work programmes to 
improve our core business applications, review and update our infrastructure 
and to introduce better communication systems. 


European data protection reforms 


In December 2015 the EU institutions reached political agreement on the 
texts of the General Data Protection Regulation and the Directive on Data 
Protection and Law Enforcement. The Regulation shall apply across the 
EU from 25 May 2018 and the Directive from 6 May 2018. 


In January 2016 we ran a workshop on the reforms, seeking the views of 
stakeholders on the challenges of implementing the Regulation and Directive. 
Around 100 organisations attended. And in March 2016 we launched a 
microsite https://ico.org.uk/for-organisations/data-protection-reform/ and 

a guidance document setting out 12 key steps organisations should take to 
prepare for the new data protection framework. 


The impact of the results of the EU referendum on future work in this area 
will have to be considered. 
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Staffing 


As of the 31 March 2016 the ICO had 442 staff (409 full time equivalents) 
with over 70 new staff having joined us during the year as the 
Commissioner’s responsibilities have increased. We have re-organised how 
we work to ensure that we are able to meet the new demands placed upon 
us. This has created opportunities for existing staff as well as new. 


Learning and development 


We continue to ensure that our staff have the necessary training and 
development to deliver a first class service. In addition to our information 
rights training we have focused our training on investigatory skills, IT, audit 
and customer service. 


Buildings and facilities 


We provide a high quality safe and efficient working environment for 
our staff. And we have focused on making savings in, or getting service 
improvements from, our external contracts. 


Payment of Suppliers 


The ICO has adopted a policy on prompt payment of invoices which complies 
with the “Better Payment Practice Code” as recommended by government. 
In the year ended 31 March 2016 90.1% (2014-15: 97.1%) of invoices were 
paid within 30 days of receipt, or in the case of disputed invoices, within 30 
days of the settlement of the dispute. The target percentage was 95%. 


In October 2008 government made a commitment to speed up the public 
sector payment process. Public sector organisations should aim to pay 
suppliers wherever possible within 10 days, and to this end the ICO pays all 
approved invoices on a weekly cycle and has monitored payments against a 
10 day target from 1 April 2009. For the year ended 31 March 2016 32.6% 
of payments were paid within 10 days (2014-15: 36.47%). 
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Operational performance 


Data protection concerns 


Received 


2014/15 


Finished 


2014/15 


Caseload 


1,170 31 March 2015 
1,848 31 March 2016 


Age distribution of caseload as at 31 March 2016 
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Age distribution of concerns finished 
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0-30 days 31-90 days 91-180 days 181-270 days 271-364 days Over 1 year 


0% 
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30 days or less 50% 


180 days or less 98.5% 98.6% 


s 14/15 
Outcomes of concerns finished - 15/16 


No action for DC* 

DC action required 

Concern to be raised with DC 
Compliance advice given to DC 
Response needed from DC 
General advice given to DC 
Not DPA 

DC outside UK 


Improvement Action Plan agreed 


0 1000 2000 3000 4000 5000 6000 


*Data Controller 


Concerns finished with the following outcomes — enforcement notice 
pursued, criminal investigation pursued, undertaking served and civil 
monetary penalty pursued represented 0.2% of the total. 
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Areas generating most concerns where sector Reasons generating most concerns where nature 


is specified is specified 
2014/15 2015/16 2014/15 2015/16 
Health 10% 12% Subject access 46% 42% 
General Business 10% 11% Disclosure of data 18% 18% 
Local Government 11% 10% Inaccurate data 14% 12% 
Lenders 12% L Security 8% 9% 


Internet T Right to prevent processing 


Policing and Criminal S Use of data 3% 4% 
Central Government Fair processing 
Education Em re Retention of data 1% 2% 
Telecoms 5% Obtaining data 
Retail 3% 3% Excessive / Irrelevant data 1% 1% 


Received 


2014/15 4,976 
2015/16 5,181 


Finished Caseload 


2014/15 5,071 823 31 March 2015 
2015/16 5,068 |_| 955 31 March 2016 


Age distribution of caseload as at 31 March 2016 


45% 
40% 


35% = 7 38% 


30% 
7% 
p> 1% — 01% 


25% 
0-30 days 31-90 days 91-180 days 181-270 days 271-365 days 366+ days 


20% 
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Age distribution of finished complaint casework 


60% 
2014/15 2015/16 
a 30 days or less 56% 48% 
90 days or less 73% 71% 
20% 


180 days or less 91% 92% 
0.3% 365 days or less 99.4% 99.7% 


0-30 days 31-90 days 91-180 days 181-270 days 271-364 days Over 1 year 


0% 
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Areas generating most complaint casework where sector Outcome of complaint casework where a decision notice 
is specified is served 


2014/15 2015/16 2014/15 2015/16 
Total served 1,305 1,376 


Local Government 46% 40% 


Police & criminal justice 


Upheld 307 (24%) 330 (24%) 


Education Partially upheld 189 (14%) 195 (14%) 


Outcomes of complaint casework finished E 14/15 


Miss 


Complaint made too early 
(no internal review) 


Decision notice served 


Informally resolved 


Ineligible complaint 


Complaint not progressed 


0% 200 400 600 800 1000 1200 1400 1600 1800 


Appeals to the Information Rights Tribunal 
Received 
316 
IEA 275 


Finished 
201 
IIA 257 
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Open caseload as at 31 March 2016 


First tier Tribunal 
Upper Tribunal 


Court of Appeal 


High Court - Judicial review applications 


Supreme Court 1 


0 50 100 150 200 250 


Outcomes of Appeals finished in 2015/16 


Dismissed 
Withdrawn 
Part Allowed 
Allowed 
Struck out 
Consent order 


Other 
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Advice services 
Calls to the helpline 


Calls received 


204,700 


Calls answered 
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Call answer rates 


Average wait time 54 seconds 


Written advice 
Finished 


Caseload 


31 March 2015 84 
31 March 2016 137 


Age distribution of finished advice work 


2014/15 2015/16 


7 days or less 72% 41% 


30 days or less 


Self reported incidents — data protection 


Received 


2015/16 


Finished 


2015/16 2,051 
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Outcomes of complaint casework finished 


No action 
for DC* 


DC action 18.6% 


required 


Improvement | 2.4% 


Action plan agreed 


Undertaking | 1.3% 


served 
Not 0 
DPA O N 7% 


Advisory visit 0.7% 


recommended 


Civil Monetary 


Penalty persued O 4% 


0 200 400 600 800 1000 1200 1400 1600 1800 


*Data Controller 
Self reported incidents finished with the following outcomes — 


Compliance Audit recommended, Enforcement Notice pursued, DC outside 
UK and Criminal investigation pursued represented 0.5% of the total. 


Sectors generating most self reported incidents 


Health 


Education 8% 


7% General business 
4% Charities 

4% Solicitors/Barristers 

3% Lenders 

3% Policing & criminal records 
2% Housing 

1% Central Government 

1% Financial advisors 

1% Clubs/Associations 


Types of incidents generating most reports 


18% 

17% Data posted or faxed to incorrect recipient 
12% Data sent by email to incorrect recipient 

8% Insecure webpage (including hacking) 

6% Principle 1 — Principle 6 or P8 failure 
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PECR concerns 


Concerns reported 


2014/15 


2014/15 2015/16 


164 210 


Cookie concerns reported 


Nature of telesales and SPAM texts reported 


SPAM texts 
11% 


Telesales call 
where I heard 
a recorded voice 


Telesales call 45% 


where I spoke 
to a person 
44% 


Self reported incidents under PECR 


2014/15 285 
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Information access 


Requests received 


2014/15 


Requests completed 


2014/15 


Requests by legislation 


EIR 


Hybrid 
289 
FOI 
681 
DP 
304 


Response times 


2014/15 2015/16 
Time for compliance 


Average time (days) 2014/15 2015/16 
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O Performance 


Request outcomes 


Information provided 
in full 


Information partially 
provided 


Information 
witheld 


Information 
not held 


Further clarification 
needed 


Misguided 
request 


Withdrawn 
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Internal reviews 


Reviews completed 


2014/15 39 


Response times 


2014/15 2015/16 
Completed in 20 days 30 31 


Review outcomes 


M 14/15 
Miss 


Not upheld 


Partially upheld 
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Sustainability 


Context 


ICO sustainability reporting meets the requirements in the Financial Reporting 
Manual 2015-16 and the Treasury guidance “Public Sector Annual Reports: 
Sustainability reporting Guidance”. Reporting on sustainability helps ensure 
that the ICO is doing all it can to help meet government sustainability targets. 


The office employs approximately 400 people; the majority of whom are 
based in Wilmslow near Manchester in one leased building. This building 
was refurbished in 2010 and at that point the ICO invested in the most 
appropriate environmental solutions then available. 


The ICO is not responsible for any outside space and therefore does not 
have a biodiversity plan. 


We ask those tendering for contracts to provide their sustainability 
statements and policies as standard in most procurement exercises. 


2015-16 performance 


The Wilmslow building has a government energy performance operating 
rating of 62. A rating below 100 is an above average (positive) outcome. 


The largest contribution to ICO green house gas emissions is use of 
electricity. The installation of more energy efficient IT equipment during 
2015-16 has helped to reduce the amount of electricity used. Electricity 
usage figures for earlier years have been amended upwards following an 
administrative error. 


Business travel is also responsible for a large proportion of the ICO's green 
house gas emissions. Over the last few years the ICO has received new 
audit and enforcement powers and this has meant that staff numbers have 
increased as has the amount of business travel. In addition management 
changes affecting our offices in Belfast and Northern Ireland have 
considerably increased the number of flights taken. We have therefore 
changed how we collate travel figures this year to better reflect the 

actual travel done. Emissions from travel in 2013-14 have been amended 
downwards following an administrative error. 


We recently installed new more efficient gas boilers. However, gas usage 
has increased due to greater use of the building. 


We have a Green Group which has organised various initiatives over the year 
to raise staff awareness of green issues and to promote actions to lessen 
the office's impact on the environment. During the year the group organised 
a number of events including swapping unwanted Christmas gifts, and a 
greener travel to work week which was well supported. Staff left their cars 
at home and cycled, jogged, walked or car shared. Collectively they saved 
nearly 300 miles of travel. 
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Summarising total ICO performance: 


Total tonnes CO, 
2012/13 2013/14 2014/15 2015/16 
i = Se G G oe REE sures facet atch ae gee oo edocs earns era - a a a 2 Er a E 
A EET iia 
Scope 2 (electricity) 271 209 238 160 
(210) (153) (176) 
O a llosa io ye EERE E a = LE O = 
(48) 
e i PE LSE ENEE IAE E TEO TE EE EL T T EAO E A ae S E xS E aae E 
(288) (207) (244) 
Tonnes CO, per full time equivalent staffing 
2012/13 2013/14 2014/15 2015/16 
Hessen IE HT MEE RENTE Arr S EG aoe S ae E a 
(0.30) (0.00) 
o A O igen La ca A P = OT oan 
(0.58) (0.43) (0.48) 
E REIP EEA I PT TTE AA E EOT A AAD NS US o T aaa S 
PRO eds es SE CP PES nen om nat 
(0.80) (0.59) (0.67) 
Total waste, water and paper consumption 
2012/13 2013/14 2014/15 2015/16 
T E a: oo oo ar Per 
ee ET enna ce alae er eee Seth 
e A cork aia E EA Eee E SES sate eens ae TETTE o nan 18 a = an 


Waste, water and paper consumption per full time equivalent staffing 


2012/13 2013/14 2014/15 2015/16 
a E st Ñ S KEE E LIAA AATA AAIE AE EAE E EAA A a i : ARTER SE SB E a E ie S TE A 
a AEE PEE ee eee eres pe oer en as na 
a S TT E a is i 7 FÅ S i a S AR ERR Sel 
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Details of ICO performance: 


Total travel 

2012/13 2013/14 2014/15 2015/16 
za E AE ETE E A I E A AT E P E VE EEE e a 
rai H ee A T S E S R ES 
y E E E A E EE EET a e S a 55 a S 
vs E EN renee ern Oe neem (ES E ee z EEE Ges : ee eee 7 rai = i 
Rail 
Er T S E S R S T S 
o iaa 1 ias ren tee id pee Neue nied oe 
=P ae cline eal POE 7 EER a 7 7 dades 5 7 
Flights 
o S DEER SER E S S i eer 
e aisla iierdis o PET pe pes ae iieii S 
re G o PRETE HE S eae S S 
E os A oe z E ee E E E å FRR ATA El SA 7 
Travel Summary 
ee erra TTT T CE ere SYRE G TE BELÆG: TA 
ee een G ere RIN cent ree E S 
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Travel per full time equivalent staffing 


2012/13 2013/14 2014/15 2015/16 
me FEE ES SEE ERE SEES SEERE ENE TEE e arr KS enes AES EL ease 
ee HIRE DE n renere ser AT Han TE RANER see 
— E ai ds E aia as e E o E A : 7 nes F 
Tonnes CO. T are ETE Fa E A E no a FA 
Rail 
== TT er G i G fester 
a oi epee ATT pecan E és re E S gR C 
RE MET IEPEN AET POELTIANA AT A ISA ER E a ocaso a lanai S 
Flights 
RKR PO TT og L S T aiae er 
e RL T, oF pare teas e : S T S E S 7 
o EEEO PANEN A AEN A TAI E ETE TE n fern eee ET po E AED P P EPET a 
O aaron SM een eee E ES an ATENA es E 
Travel Summary 
ae pe naan baton ASP reer rete USERS DELENE mre E reat ern Cee as — aaa: > S E 
O JER BEES E ATE E EEE E T E SKEDE E TE te a PE S E ARER E T FE E S 
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Total utilities 


2012/13 2013/14 2014/15 2015/16 
= A EAEAN E AT EE E N T E E E A A EAE EE NN 
KOPEERITI ETE EEI TAEI H HH fuge: i Ka oe a illa An fr S EN Be a 

(3,734) 
ENE. ds ae S y i AER T y E S ERE RE : = Sanaa, S E de 
AA A uo r a a S 
(1) 
Electricity 
~ geo LO = om venne = E eee ec 2. on A Ven : S 
(404,454) (316,058) (327,158) 
a Ron ua one Ser aaa N nna SE arpa 
(48,126) (50,328) (54,232) 
a S E T att E en ase ala 7 S : jus 
(210) (153) (176) 
Utility summary 
enge A TO e dins free 
(55,867) (52,599) (56,007) 
SIRK S T BESES ENES HERE DELSE så SE) ie: PERKER AEL S S o ei i = 
(245) (163) (177) 
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Utilities per full time equivalent staffing 


2012/13 2013/14 2014/15 2015/16 
ger E on pr o ao 
Te eii TTT m regen mo EOT ; fee o PT 

(10.27) 
S dass e boa E AET FI 
a S E S i THT Ae T E pe MADEN N É i S T 
(0.00) 
Electricity 
AE E A ET H Å pre e pon. 
(893) (900) 
EIA G T H a no licor a a o ENT 
(133.78) (142.17) (149.19) 
A i Cogan take : ea E i AEE ETE e 
(0.58) (0.43) (0.48) 
Utility summary 
A iliac dhe alain REESE rier ; =ar ion i — s ET 
(148.58) (154.08) 
ENE fb 3 a O E E BYER E : = o : er S : os E e A 
(0.68) (0.46) (0.49) 


Notes: 


e Information on waste is provided by the contractors. 


e Travel costs and mileage are collated from central records and from 
staff directly. 


e The information is collated quarterly and if figures are not consistent 
with expectations they are checked. 


e Figures may not add due to rounding. 
e Figures in brackets are previously reported figures now amended. 


Christopher Graham 
Information Commissioner 
23 June 2016 
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Directors’ report 


Directorships and other significant interests held by 
Board Members that may conflict with their management 
responsibilities 


Membership of the ICO Management Board, along with further information, 
is detailed in the Governance Statement. 


A register of interests is maintained for the Information Commissioner 
and his Management Board. It is published on the Commissioner’s website 
at www.ico.org.uk. Declarations of interest in any of the items coming to 
a particular meeting are also asked for at Board, Audit Committee and 
Remuneration Committee meetings. 


Employee involvement and well being 


The ICO has a policy of co-operation and consultation with recognised trade 
unions over matters affecting staff. Senior managers regularly meet with 
trade unions to discuss issues of interest. In addition staff involvement in the 
work of the office is actively encouraged as part of the day-to-day process of 
line management. 


Equal opportunities and diversity 


We aim to ensure that all members of society have awareness of, and access 
to, their information rights and receive appropriate protection if their rights 
are infringed. To do this we have sought to include equality and diversity in 
our daily work. This has delivered a range of outcomes including: 


e improving the accessibility of the ICO website to make it easier for the 
public to raise concerns and access our guidance; 


e improving the accessibility of internal documents; 


e responding to a consultation on mental health legislation to help shape 
its impact on information rights; 


e increasing staff knowledge of autism and Asperger's; 


e working with the Government Equalities Office to develop guidance on 
the privacy of people who are trans-gender and on our procedures for 
handling Gender Recognition Certificates; 


e focusing advisory visits on organisations working with vulnerable 
members of society such as drug users, young people in care and 
women experiencing post-natal depression; and 


e assisting Age UK in their study into the financial services sector and 
the extent to which older people are vulnerable to malpractice. 


We have also provided our staff with a work environment and IT systems 
which help meet a range of needs; including accessible offices and IT 
systems, flexible and part-time working to help work-life balance and 
occupational health services. 
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We aim to recruit from a range of backgrounds and have long taken the 
applicant anonymous approach when assessing candidates for employment, 
an approach recently advocated by the government and civil service. This 
year saw an increase in the proportion of new staff who are from Black, 
Asian, or Minority Ethnic Communities and we continue to provide equality 
of access to promotion and training for all staff. 


Our Equality and Diversity Committee and Senior Management Team oversee 
our efforts to provide an increasingly accessible service. As part of this 
oversight we have improved the co-ordination of reports on equality based 
activity, giving a better picture of how we meet the aims of the Equality Act 
and in turn enabling us to publish our Annual Equality Report. 


The community 


During 2015-16 ICO staff supported a local Cheshire based charity, 

The Joshua Tree, which helps local families living with the life changing 
experience of childhood cancer. Staff supported a number of events including 
a football tournament, Snowdon walk, baking competition and a quiz and 
curry night. In addition staff raised funds for an air hockey table as a 
Christmas present for the children attending the charity's support centre. 
In total staff raised just over £1,500. 


Pension liabilities 


Details regarding the treatment of pension liabilities are set out in note 3 
to the financial statements. 


Personal data incidents 


There was one incident during 2015-16 which, based on ICO guidance for 
the self reporting of personal data incidents, we reported to our Enforcement 
department. 


The incident involved a small amount of personal information about five 
individuals held on one of our customer case files being accidentally 
disclosed to a customer of the same name. Some of the information about 
one of the five individuals was sensitive personal data. The incident was 
contained and there was no detriment to those involved. 


The incident was investigated in the same way as any reported to the ICO 
by a data controller. 


The outcome confirmed that the necessary controls were in place to mitigate 
the risk of an accidental disclosure of information in our casework process. 
Some recommendations were also made for further improvement. All 
recommendations were accepted and implemented. 


No formal action was proposed in response to the incident. 


Public sector information holders 


The ICO has complied with the cost allocation and charging requirements 
set out in HM Treasury guidance. 
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Annual accounts and audit 


The annual accounts have been prepared in a form directed by the Secretary 
of State with the consent of the Treasury in accordance with paragraph (10) 
(1) (b) of Schedule 5 to the Data Protection Act 1998. 


Under paragraph (10) (2) of Schedule 5 to the Data Protection Act 1998 
the Comptroller and Auditor General is appointed auditor to the Information 
Commissioner. The cost of audit services for this year was £32.50k (2014- 
15: £32.25k). No other assurance or advisory services were provided. 


So far as the Accounting Officer is aware, there is no relevant audit 
information of which the Comptroller and Auditor General is unaware, and 
the Accounting Officer has taken all the steps that he ought to have taken 
to make himself aware of relevant audit information and to establish that 
the Comptroller and Auditor General is aware of that information. 


Directors” statement 


Each of the persons who are directors at the time this report is approved: 


(a) so far as the director is aware there is no relevant audit information 
of which the auditor is unaware; and 


(b) the director has taken all the steps they ought to have taken as a 
director in order to make themselves aware of any relevant audit 
information and to establish that the auditor is aware of that information. 
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Statement of the Information 
Commissioner’s responsibilities 


Under paragraph 10(1)(b) of Schedule 5 to the DPA the Secretary of State 
has directed the Information Commissioner to prepare for each financial year 
a statement of accounts in the form and on the basis set out in the Accounts 
Direction. The accounts are prepared on an accruals basis and must give a 
true and fair view of the state of affairs of the Information Commissioner at 
the year end and of his income and expenditure, recognised gains and losses 
and cash flows for the financial year. 


In preparing the accounts the Information Commissioner is required to 
comply with the requirements of the Government Financial reporting Manual 
(FReM) and in particular to: 


e observe the Accounts Direction issued by the Secretary of State with the 
approval of the Treasury, including the relevant accounting and disclosure 
requirements, and apply suitable accounting policies on a consistent 
basis; 


e make judgements and estimates on a reasonable basis; 


e state whether applicable accounting standards as set out in the 
Government Financial Reporting Manual have been followed, and disclose 
and explain any material departures in the financial statements; and 


e prepare the financial statements on the going concern basis, unless it is 
inappropriate to presume that the Information Commissioner's Office will 
continue in operation. 


The Accounting Officer of the DCMS has designated the Information 
Commissioner as Accounting Officer for his Office. The responsibilities of an 
Accounting Officer, including responsibility for the propriety and regularity of 
the public finances and for keeping of proper records and for safeguarding 
the Information Commissioner’s assets, are set out in the Non-Departmental 
Public Bodies’ Accounting Officer Memorandum, issued by the Treasury and 
published in Managing Public Money. 
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Governance statement 


Introduction 


The Information Commissioner is a corporation sole as established 

under the DPA. Under the terms of the EU Data Protection Directive the 
Information Commissioner and his office must be completely independent of 
Government. I am accountable to Parliament for the exercise of my statutory 
functions and the independence of the ICO is enshrined in legislation. 


Relationship with the Department for Culture, 
Media and Sport 


As of the 17 September 2015 the DCMS became the sponsoring department 
for the ICO, replacing the MOJ. The relationship with the MOJ had been 
governed by a Framework Agreement which set out our responsibility to 
support the work of both organisations and to help ensure my independence 
and that of my office. 


The Agreement also ensured that appropriate reporting arrangements were 
in place to enable the MOJ to monitor the expenditure of public money 
allocated to the ICO. Following the transfer of sponsorship responsibility to 
the DCMS we continued to follow the spirit of the MOJ Framework Agreement 
in our relationship with the DCMS pending a new Management Agreement 
with the DCMS being finalised. 


At the same time as taking on sponsorship responsibilities the DCMS also 
took on policy responsibility for the DPA and its associated legislation. Earlier 
in the year the Cabinet Office had taken on policy responsibility for FOIA. 


Management Board 


L have a Management Board to support me in the role of Accounting Officer. 
The Board is responsible for developing strategy, monitoring progress in 
implementing strategy, providing corporate governance and assurance and 
for managing corporate risks. The Board comprises myself, up to two Deputy 
Commissioners and up to four non-executive members. 


The Board meets quarterly and considers risk management as well as 
reports on operational, financial, organisational and corporate issues. It also 
receives reports from my Audit Committee, Remuneration Committee and 
Senior Management Team. 


In the course of 2015-16 there were major changes in ICO senior 
management; Andrew Hind, Non-executive Director, left the ICO on 

31 August 2015; Graham Smith, Deputy Commissioner for Freedom of 
Information, left the ICO on 23 October 2015; and David Smith, Deputy 
Commissioner for Data Protection, retired on 18 November 2015. Not 
wanting to tie the hands of the next Commissioner and having consulted 
with Board members, I decided not to appoint a replacement for Andrew 
Hind. Ailsa Beaton, Non-executive Director, replaced Andrew Hind as chair 
of the Remuneration Committee at its November meeting. 
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In advance of David Smith's retirement a recruitment exercise to appoint 

a new Deputy Commissioner (Data Protection) was held. Unfortunately we 
were unsuccessful in identifying an appropriate successor. For this reason, 
and again because I did not want to tie the hand of the next Commissioner, 
I have not sought to recruit replacements for either David Smith or Graham 
Smith. I appointed Simon Entwisle, Deputy Chief Executive Officer, as my 
Deputy Commissioner from 2 November 2015. 


Given the loss of these very experienced members of my Board I changed 
the management structure of the ICO to ensure full support for myself and 
my successor during the transition to the new leadership. As of November 
2015 the Executive Team, Leadership Group and Information Rights 
Committee were all replaced by a Senior Management Team to provide 
day-to-day leadership for the ICO. 


The table below details attendance at the Management Board meetings 
during the year. 


Dates 27-Apr-15 27-Jul-15 2-Nov-15 25-Jan-16 Notes 


1 Deputy Commissioner from 


ea vastness a ee: 2 November 2015 

. i David Smith left the ICO 
eh raa e A EE. eee A : E 18 November 2015 

. Graham Smith left the ICO 

ba eee a e ence 23 October 2015 
Ailsa Beaton 1 1 1 1 
ssiahdwodancdada e e dde E ALOE ICO 
IED EEN NEN: ere -— DTE 31 August 2015 
lan Watmore 1 1 1 1 
Nicola Wood 1 1 1 1 
Audit Committee 
The Audit Committee meets quarterly and provides scrutiny, oversight and 
assurance in respect of risk control and governance. The Committee consists 
of lan Watmore as chair of the Committee, Ailsa Beaton as the other 
non-executive member and Roger Barlow as the independent member. 
The table below shows attendance of Audit Committee members at the 
meetings during the year. 
Dates 8-Jun-15 7-Sep-15 7-Dec-15 7-Mar-16 Notes 
lan Watmore 1 1 1 1 Chair 


Ailsa Beaton 1 1 1 1 
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The external and internal auditors attend the Audit Committee and have 
pre-meetings with Committee members. 


The Audit Committee has published its own Annual Report for 2015-16 on 
the ICO website (www.ico.org.uk). The report states that the Committee is 
satisfied with the quality of internal and external audit and believes that it 
is able to take a measured and diligent view of the quality of the systems 
of reporting and control within the ICO. 


Remuneration Committee 


The Board is supported by a Remuneration Committee consisting of two 
non-executive Board members. The Committee advises me and my Board 
on the ICO's remuneration policies and practices for all staff, and will, on 
behalf of the Board, determine the appropriate remuneration for Deputy 
Commissioners and the Deputy Chief Executive Officer. It does not decide 
on remuneration for the Commissioner which is set by Parliament. 


The Committee met on 9 June 2015 and on 9 November 2015. All members 
attended, along with the Commissioner and the Head of Organisational 
Development. Andrew Hind (chair) and Nicola Wood were the members for 
the first meeting, and Ailsa Beaton (chair) and Nicola Wood for the second 
meeting. 


Senior Management Team 


The Team provides day-to-day leadership for the ICO and as such has 
responsibility for developing and delivering against the information 
rights strategy and the ICO Plan. The Team consists of me, my Deputy 
Commissioner and Deputy Chief Executive, and Heads of Department. 
It meets fortnightly. 


Board effectiveness 


The Board evaluated its performance during the year. Members considered 
that the Board was effective in its support of the Commissioner. 


Similarly the Audit Committee, Remuneration Committee and Senior 
Management Team reviewed their performance. Again, the feedback was 
that there was no need for significant improvements. 


The Management Board has previously considered its compliance with the 
“Corporate governance in central government departments: Code of good 
practice 2011”. The ICO does not fully comply with the code, but the Board 
consider that there are good reasons for this given the size and nature of 
the organisation as a corporation sole. In particular: 


e the Board does not have the powers and duties of a Board in which is 
vested the ultimate authority of the organisation. This is because the 
Commissioner is the ‘corporation’; 


e the Board does not have a lead non-executive director, but given the size 
of the Board and the ICO and its responsibilities, this is not felt necessary; 


e non-executive members do not have a specific section in the ICO’s Annual 
Report but this is not currently considered necessary; 


e composition of the Board reflects the nature, responsibilities and size of 
the ICO; 
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e the ICO does not have a Nominations and Governance Committee but 
the Board's focus on governance, and the Remuneration Committee’s 
overview of remuneration policies in general is considered to provide 
the necessary coverage; and 


e in respect of an operating framework the Board has terms of reference 
supported by an annual work plan. 


Issues and highlights 


The ICO’s corporate governance structure has considered various issues 
of substance during the course of the year. These include: 


e staff engagement and industrial relations; 

e registration fee strategy; 

e the Triennial Review of the ICO; 

e a critical IT hardware failure; 

e IT strategy; 

e changes in the senior management structure; and 


e preparation for the EU data protection reforms. 


A risk assessment 


Risks are regularly refreshed by the Senior Management Team and, prior to 
its inception, by the Executive Team, with a major review each spring. The 
register is also discussed at Management Board, Audit Committee and at 
quarterly meetings with the ICO’s sponsoring department. 


The main risks identified during the year are detailed in the Performance 
report. 


Sources of assurance 


As Accounting Officer I have responsibility for reviewing the effectiveness 
of the system of internal control, including the risk management framework. 
My review is informed by the work of the internal auditors and the Senior 
Management Team members who have responsibility for the development 
and maintenance of the internal control framework, and comments made by 
the external auditors in their management letter and other reports. In their 
annual report, our internal auditors have given an overall assurance that 
they are satisfied that sufficient internal audit work has been undertaken 
to allow them to draw a reasonable conclusion as to the adequacy and 
effectiveness of the ICO’s risk management, governance and control 
processes. 


I have been advised on the implications of the result of my review by 

the Board and the Audit Committee. I am satisfied that a plan to address 
weaknesses in the system of internal control and ensure continuous 
improvement of the system is in place. I am also satisfied that all material 
risks have been identified and that those risks are being properly managed. 
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Remuneration and Staff: 
Remuneration policy (audited) 


Schedule 5 to the DPA provides that the salary of the Information 
Commissioner is to be specified by a Resolution of the House of Commons 
and on 24 November 2008 the House of Commons resolved that in respect of 
service after 30 November 2007 the salary of the Information Commissioner 
should be £140,000 pa. The salary of the Information Commissioner is paid 
directly from the Consolidated Fund in accordance with the Schedule. 


Prior to 1 September 2013 the remuneration of staff and other officers 
was determined by the Information Commissioner with the approval of 
the Secretary of State. Following commencement of Section 108 of the 
Protection of Freedoms Act such decisions are now made in consultation 
with the Secretary of State and Treasury. 


In making decisions on remuneration the Information Commissioner 
has regard to the following considerations: 


e the need to recruit, retain and motivate suitably able and 
qualified people; 


e government policies for improving the public services; 
e the funds available to the Information Commissioner; and 
e Treasury pay guidance. 


The Remuneration Committee considers and advises the Management Board 
on remuneration policies and practices for all staff, and will, on behalf of the 
Board, determine appropriate remuneration for the Deputy Commissioners 
and the Deputy Chief Executive Officer. The Committee's decision includes 
individual performance as a factor. 


Unless otherwise stated below, staff appointments are made on merit on 
the basis of fair and open competition and are open-ended until normal 
retiring age. Early termination, other than for misconduct, should result 
in the individual receiving compensation as set out in the Civil Service 
Compensation Scheme. 


Non-executive Directors are paid an annual salary of £12,000 and are 
appointed for an initial term of three years, renewable by mutual agreement 
for one further term of a maximum of three years. 
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Remuneration report 


Salary and pension entitlements 
Details of the remuneration and pension interests of the Information 


Commissioner and his most senior officials are provided below. 


Remuneration (salary, bonuses, benefits in kind and pensions) 


(audited) 


Single total figure of remuneration 


Officials 


Benefits in 


Pension 
benefits 
(£’000)! 


Salary 
(£’000) 
2015/ 2014/ 
16 15 


Christopher 
Graham 
Information 
Commissioner 
& Chief 
Executive 


140-145 140-145 


50-55 


50-55 


Simon 
Entwisle 
Director of 
Operations/ 
Deputy CEO 


David Smith 
Deputy 
Commissioner 
and Director 
for Data 
Protection 


55-60 


Deputy 
Commissioner 
and Director 
for FOI 


15-20 


35-40 


Ailsa Beaton 
Non-Executive 
Board Member 
(appointed 01 
August 2014) 


Andrew Hind 
Non-Executive 
Board Member 


Ian Watmore 
Non-Executive 
Board Member 


Nicola Wood 
Non-Executive 
Board Member 
(appointed 01 
January 2015) 


90-95 90-95 
70-75 85-90 
(full year (full year 
90-95) 90-95) 
50-55 
(full year 90-95 
90-95) 
5-10 
10-15 (full year 
10-15) 
5-10 
(full year 10-15 
10-15) 
10-15 10-15 
1-5 
10-15 (full year 
10-15) 


kind (£’000) 
(-nearest £100) 
2015/ 2014/ 
16 15 
0.1 0.1 
0.1 0.1 


Compensation 

schemes 

(£’000) 

2015/ 2014/ 
16 15 


Total (£’000) 
2015/ 2014/ 
16 15 
190- 190- 
200 200 
125- 160- 
135 165 
125- 230- 
135 235 
125- 
60-70 130 
10-15 5-10 
5-10 10-15 
10-15 10-15 
10-15 1-5 
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The value of pension benefits accrued during the year is calculated as the 
real increase in pension multiplied by 20 plus the real increase in any lump 
sum, less the contributions made by the individual. The real increases 
exclude increases due to inflation or any increase or decrease due to a 
transfer of pension rights. 


Salary comprises gross salary and any other allowance to the extent that 

it is subject to UK taxation. No bonus payments were made in 2015-16. In 
2014-15 payments of £100 were made to Simon Entwisle, David Smith and 
Graham Smith in line with the ICO's general bonus scheme. 


Benefits in kind relate to the organisation's contribution to the ICO's health 
care plan provided by BHSF. 


Pay multiples (audited) 


Reporting bodies are required to disclose the relationship between the 
remuneration of the highest paid director in their organisation and the 
median remuneration of the organisation's workforce. The Information 
Commissioner is deemed to be the highest paid Director and no member 
of staff receives remuneration higher than the highest paid Director. 


The banded remuneration of the highest paid director of the ICO in the 
financial year 2015-16 was £140k to £145k (2014-15: £140k to £145k). 
This was 5.7 times (2014-15: 5.7 times) the median remuneration of 

the workforce, which was £24,651 (2014-15 £24,440). The median total 
remuneration is calculated by ranking the annual full time equivalent salary 
as at 31 March 2016 for each member of staff. 


Staff remuneration ranged from £16,328 to £140,000 (2014-15: £16,227 
to £140,000). 


Total remuneration includes salary, non-consolidated performance-related 
pay and benefits-in-kind. It does not include severance payments, 
employer pension contributions and the Cash Equivalent Transfer Value 
(CETV) of pensions. 


In common with other public sector organisations, the ICO has adhered 
to pay restraint policies. 
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Pension Benefits (audited) 


Accrued Pension at 
pension age as at 


Real increase in 
pensionand CETV at 
related lump sum 31 March 


CETV at 
31 March 
2015 


Real 
increase in 
CETV 


31 March 2016 and 

related lump sum 

£'000 

Christopher Graham Pension 20-25 
Information Commissioner Lump sum 
Nil 

Simon Entwisle Pension 40-45 
Director of Operations/ Lump sum 
Deputy CEO 125-130 
David Smith Pension 45-50 
Deputy Commissioner Lump sum 
and Director for DP 145-150 
Graham Smith Pension 15-20 
Deputy Commissioner Lump sum 
and Director for FOI 45-50 


at pension age 2016 
£'000 £'000 
2:5=5 408 
2,5=5 

986 
5-7.5 
2.5-5 
1,055 
7.5-10 
0-2.5 
364 
2.5=5 


The CETV figures are provided by MyCSP, the ICO's Approved Pensions 
Administration Centre, who have assured the ICO that they have been 
correctly calculated following guidance provided by the Government 


Actuary's Department. 
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Partnership pensions 


There were no employer contributions to partnership pension accounts 
in the year for the above staff. 


Civil Service pensions 


Further details about the Civil Service pension arrangements can be found 
at the website www.civilservice.gov.uk/pensions. 


Cash Equivalent Transfer Values 


A CETV is the actuarially assessed capitalised value of the pension scheme 
benefits accrued by a member at a particular point in time. The benefits 
valued are the member's accrued benefits and any contingent spouse's 
pension payable from the scheme. It represents the amount paid made by 
a pension scheme or arrangement to secure pension benefits in another 
pension scheme arrangement when the member leaves a scheme and 
chooses to transfer the benefits accrued in their former scheme. 


The pension figures shown relate to the benefits that the individual has 
accrued as a consequence of their total membership of the pension scheme, 
not just their service in a capacity to which disclosure applies. 


The figures include the value of any pension benefit in another scheme or 
arrangement that the individual has transferred to the Civil Service pension 
arrangements. They also include any additional pension benefit accrued to 
the member as a result of their purchasing additional pension benefits at 
their own cost. CETV's are worked out in accordance with The Occupational 
Pensions Schemes (Transfer Values) (Amendment) Regulations 2008 and 
do not take account of any actual or potential reduction to benefits 
resulting from Lifetime Allowance Tax which may be due when pension 
benefits are taken. 


Real increase in CETV 


This reflects the increase in CETV that is funded by the employer. It does not 
include the increase in accrued pension due to inflation, contributions paid by 
the employee (including the value of any benefits transferred from another 
pension scheme or arrangement) and uses common market valuation factors 
for the start and end of the period. 
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Staff report 


Number of senior civil service staff (or equivalent) by band 


The Information Commissioner, the two former Deputy Commissioners, 
the Non-executive Directors and the Deputy Commissioner and Deputy 
Chief Executive Officer are the only staff categorised as being at a grade 
equivalent to the senior civil service. 


Staff numbers and costs (split between permanent and short 
term contract/agency staff) 


Full figures can be found in note 3 to the financial statement. 
As at 31 March 2016 the ICO had 442 permanent staff (409 full time 


equivalents). The average number of permanent staff over the year was 415 
(384 full time equivalents). 


Staff composition 


As of the end of this financial year there were five members of the 
Management Board of whom three were male and two female. 


Across the ICO as a whole 39.8% of staff were male and 60.2% female. 


Sickness absence 


The average number of sick days taken per person during the year was 
5.6 days (2014-15: 4.5 days). 


Staff policies relating to the employment of disabled persons 


The ICO's recruitment processes ensure that shortlisting managers only 
assess the applicant’s skills, knowledge and experience for the job. All 
personal information is removed from applications before shortlisting. 


The ICO continues to apply the Two Ticks standard for job applicants who 
are disabled. It has also assisted in the continued employment of disabled 
people by providing a work environment that is accessible and equipment 
that allows people to perform effectively. Our disabled staff are given 
equal access to training and promotion opportunities and adjustments are 
made to work arrangements, work patterns and procedures to ensure that 
people who are, or become, disabled, are treated fairly and can continue to 
contribute to the ICO's aims. 


During the year we also started an exercise to get feedback from disabled 
staff about their experience at the ICO to help inform future people policies 
and procedures. 

Expenditure on consultancy 

There has been no expenditure on consultancy during 2015-16. 


Off-payroll engagements 


There were no off payroll engagements during 2015-16. 
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Exit packages (audited) 


Total number of exit packages 


Exit package cost band by cost band 

2015/16 2014/15 
Sann i i 
inni cts m 
S E S r 
TG A ins E œ 
Total number of _ 1 


exit packages 


Redundancy and other departure costs have been paid in accordance with 
the provisions of the Civil Service Compensation Scheme, a statutory 
scheme made under the Superannuation Act 1972. Exit costs are accounted 
for in full in the year of departure. Where the Information Commissioner 

has agreed early retirements the additional costs are met by the Information 
Commissioner and not by the Civil Service pension scheme. III health 
retirement costs are met by the pension scheme and are not included in the 
table above. 


There were no compulsory redundancies in the year (2014-15: none). 


Ex-gratia payments made outside of the provisions of the Civil Service 
Compensation Scheme are agreed directly with the Treasury. 
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Parliamentary accountability 
and audit report: 
Regularity of expenditure (audited) 


HM Treasury imposed an administrative sanction of £18.4k following the 
provision of retrospective approval for pay awards for the year ended 2014- 
15. This was charged in 2015-16 by way of a reduction in the grant in aid 
payable. £3,750k was payable but £3,731.6k was received - see statement 
of changes in taxpayer's equity. 

Treasury approval was granted for a Special Payment to the Commissioner 
(Christopher Graham) in respect of legal expenses of £7,320 incurred in 
defence of a charge of a breach by the Commissioner of section 77 of FOIA. 


The investigation concluded that there was no case for the Commissioner 
to answer. 


Fees and charges (audited) 


Information on fees collected from data controllers who notify their 
processing of personal data under the DPA is provided as part of the 
performance report earlier in this document. 


Remote contingent liabilities 


Please see note 16 to the accounts. 


Long-term expenditure trends 


In the long-term it is expected that expenditure trends will remain as now. 


Christopher Graham 
Information Commissioner 
23 June 2016 
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The Certificate and Report of the 
Comptroller and Auditor General 
to the Houses of Parliament 


I certify that I have audited the financial statements of the Information 
Commissioner's Office for the year ended 31 March 2016 under the Data 
Protection Act 1998. The financial statements comprise: the Statements of 
Comprehensive Net Expenditure, Financial Position, Cash Flows, Changes in 
Taxpayers’ Equity; and the related notes. These financial statements have 
been prepared under the accounting policies set out within them. I have 
also audited the information in the Remuneration and Staff Report and the 
Parliamentary Accountability Disclosures that is described in that report as 
having been audited. 


Respective responsibilities of the Board, Accounting Officer 
and auditor 


As explained more fully in the Statement of Information Commissioner's 
Responsibilities, the Board and the Accounting Officer are responsible for 
the preparation of the financial statements and for being satisfied that they 
give a true and fair view. My responsibility is to audit, certify and report on 
the financial statements in accordance with the Data Protection Act 1998. I 
conducted my audit in accordance with International Standards on Auditing 
(UK and Ireland). Those standards require me and my staff to comply with 
the Auditing Practices Board's Ethical Standards for Auditors. 


Scope of the audit of the financial statements 


An audit involves obtaining evidence about the amounts and disclosures 

in the financial statements sufficient to give reasonable assurance that 

the financial statements are free from material misstatement, whether 
caused by fraud or error. This includes an assessment of: whether the 
accounting policies are appropriate to the Information Commissioner's 
Office's circumstances and have been consistently applied and adequately 
disclosed; the reasonableness of significant accounting estimates made by 
the Information Commissioner's Office and the overall presentation of the 
financial statements. In addition I read all the financial and non-financial 
information in the Annual Report to identify material inconsistencies with 
the audited financial statements and to identify any information that is 
apparently materially incorrect based on, or materially inconsistent with, the 
knowledge acquired by me in the course of performing the audit. If I become 
aware of any apparent material misstatements or inconsistencies I consider 
the implications for my certificate. 


I am required to obtain evidence sufficient to give reasonable assurance 
that the expenditure and income recorded in the financial statements have 
been applied to the purposes intended by Parliament and the financial 
transactions recorded in the financial statements conform to the authorities 
which govern them. 


Opinion on regularity 


In my opinion, in all material respects the expenditure and income recorded 
in the financial statements have been applied to the purposes intended by 
Parliament and the financial transactions recorded in the financial statements 
conform to the authorities which govern them. 
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Opinion on financial statements 


In my opinion: 


e the financial statements give a true and fair view of the state of the 
Information Commissioner's Office's affairs as at 31 March 2016 and 
of the net expenditure for the year then ended; and 


e the financial statements have been properly prepared in accordance 
with the Data Protection Act 1998 and Secretary of State directions 
issued thereunder. 


Opinion on other matters 


In my opinion: 


e the parts of the Remuneration and Staff Report and the Parliamentary 
Accountability disclosures to be audited have been properly prepared 
in accordance with Secretary of State directions made under the Data 
Protection Act 1998; and 


e the information given in the Performance Report and Accountability Report 
for the financial year for which the financial statements are prepared is 
consistent with the financial statements. 


Matters on which I report by exception 

I have nothing to report in respect of the following matters which I report 

to you if, in my opinion: 

e adequate accounting records have not been kept or returns adequate for 
my audit have not been received from branches not visited by my staff; or 


e the financial statements and the parts of the Remuneration and Staff 
Report and the Parliamentary Accountability disclosures to be audited 
are not in agreement with the accounting records and returns; or 


e I have not received all of the information and explanations I require 
for my audit; or 


e the Governance Statement does not reflect compliance with 
HM Treasury’s guidance. 
Report 


I have no observations to make on these financial statements. 


Sir Amyas C E Morse Date: 27 June 2016 
Comptroller and Auditor General 


National Audit Office 

157-197 Buckingham Palace Road 
Victoria 

London 

SW1W 9SP 
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Statement of comprehensive net expenditure 
(audited) for the year ended 31 March 2016 


2015/16 2014/15 
Note £000 £000 £000 £000 
Expenditure 
Staff costs S 14,316 ISS 
Other expenditure 6,724 6,455 
Depreciation and other non-cash costs 4 2,162 1,790 
8,886 8,245 
Total expenditure 23,202 2557 
Income 
Income from activities 5a (17,819) (17,649) 
Net expenditure 5383 3,908 
Other comprehensive expenditure 
Net gain on revaluation of property, 
plant and equipment lee) ay) 
Total comprehensive expenditure BEDES 3,888 


for the year ended 31 March 


All income and expenditure relates to continuing operations. 


68 Statement of comprehensive net expenditure 


Annual Report 2015/16 Financial statements (C) 


Statement of financial position (audited) 
as at 31 March 2016 


31 March 2016 31 March 2015 
Note £000 £000 £000 £000 
6 se E i DESK T 
E : P S S se A RETA E nb Se Sheree een ene da A T E T 
P E PE : cone NEL IN a RAE E T i is = S ae i Z 
Total non-current assets 2,460 3,630 
Current assets 
BER SE ee ENE KEE SEER a PO T NSER o a ER Br 
Ben eee SPARES ONS Bi ROR an eer ie AG cee he me IP Be 7 E S 
Total Current assets 5,199 4,103 
Total assets 7,659 7,733 
Current liabilities 
DE E os a a T RUTER ERR ic PSS ne ee re ee i cee ore o S Re : 
Be = Pcie E E Aen eer ered eee ran ea en ie a LION O Oe! a ESE een eRe E RENEE BED SEE E E 
SE Ene SEERE 3,560 5,412 
Non-current liabilities 
aoe os FERED ARTO Fig ERENT En LACS EA E A PSC Pe NS ee des e OE O SM FRIE e UK TYRE TERE ee ene E ED i 
Assets less liabilities 3,506 4,840 
Taxpayers’ equity 
o å a or ER te rc rere er etry ee SST er nee ERIS ee oe ET NRE oon a = AA E ER 
es i 2 a Neue TE Mee ne ets aCe ee ECE a EERO TE Nore ELENA BEEN ES UIE ORGY sche CRs nl EE EN ENES AS 7 a 
3,506 4,840 


Christopher Graham 
Information Commissioner 


23 June 2016 
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Statement of cash flows (audited) 
for the year ended 31 March 2016 


2015/16 2014/15 
Note £'000 £'000 
o aa å S A SOIC ee T SPREE 
es g A 5 = ae E SL E SEE Tt BRN DRE KORS SSAC AN nae Ba Set rn oR ou er ed aA aS ERAN: oan : 
a a a E E A E A ENE ESSEN, a T pee ace 
sone cee a a Be tite einer UE 7 T i i BASERES DEN SEE ; AR 
o E A BOESEN SKE LAS ENDER Pe Ah gue Pee 
tee pees Bk SES ee Ss sn cee cee RG ONY OR Mtn alana NH a er Aoo i 5 Pern Ser o É 
Net cash outflow from operating activities (3,493) (2,478) 
Cash flows from investing activities 
re Ga hace ØR T DERE EEN NREN E BERG, ens E ER 
ee ee a ae ee SOE REE TRE STEEN URINE Te A Un ere eaten ~ v S : ~ ; 
Net cash outflow from investing activities (864) (817) 
Cash flows from financing activities 
ee a ene a Te, REN rR ees ee em er ee i E 31 T S 
Net cash flows from financing activities 3,731 3,700 
Net increase/(decrease) in cash and cash equivalents during 
the year before adjustment for receipts and payments to the 
Consolidated Fund (626) 405 
as : ae = ER ere A eee anna aaa clue ae anne Rte 
of the Information Commissioner's activities 1,563 822 
ee et E cers r 


Net increase/ (decrease) in cash and cash equivalents in 
the year after adjustment for receipts and payments to the 109 (204) 
Consolidated Fund 


Cash and cash equivalents at the start of the year 2,699 2,903 
Cash and cash equivalents at the end of the year 10 2,808 2,699 
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Statement of changes in taxpayers’ equity 
(audited) for the year ended 31 March 2016 


Revaluation General Total 
reserve reserve reserves 
Note £'000 £000 £000 
Balance at 31 March 2014 283 4,555 4,838 
Changes in tax payers’ equity 2014/15 
Grant in aid from the Ministry of Justice — 3,700 3,700 
FE RET TT CO Caen ne T 
Comprehensive expenditure for the year 20 (3,908) (3,888) 
Non-cash charges — Information Commissioner's 3 a 190 190 
salary costs 
Balance at 31 March 2015 266 4,574 4,840 
Changes in tax payers’ equity 2015/16 
Grant in aid from the DCMS 13 = 3 73d 3,731 
Transfers between reserves (289) 289 — 
Comprehensive expenditure for the year i 128 (5,383) l (5,255) 
Non-cash charges — Information Commissioner's 3 ER 190 190 
salary costs 
Balance at 31 March 2016 105 3,401 3,506 
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Notes to the accounts (audited) 


1.1 


1.2 


Statement of accounting policies 


These financial statements have been prepared in accordance with 
the 2015-16 Government Financial Reporting Manual (FReM) issued 
by HM Treasury. The accounting policies contained in the FReM apply 
International Financial Reporting Standards (IFRS) as adapted or 
interpreted for the public sector context. Where the FReM permits 
a choice of accounting policy, the accounting policy which is judged 
most appropriate to the particular circumstances of the Information 
Commissioner for the purpose of giving a true and fair view has 
been selected. The particular policies adopted by the Information 
Commissioner are described below. They have been applied 
consistently in dealing with items that are considered material to 
the accounts. 


Accounting convention 

These accounts have been prepared under the historical cost 
convention modified to account for the revaluation of property, plant 
and equipment and intangible assets at their value to the business 
by reference to current costs. 


Disclosure of IFRSs in issue but not yet effective 

The Information Commissioner has reviewed the IFRS in issue but not 
yet effective (as below), and has determined that there are no new 
IFRS relevant or likely to have a significant impact. 


a aye T Impact |. 
IFRS 5 - Non current assets held for sale Not applicable 
IFRS 7 - Financial Instruments Disclosures Not applicable 
JERS Z z Minandal Instruments DESI ER 


IFRS 10 and IAS 28 - Sale or contribution of Not applicable 
Assets between an investor and its associates 
or joint (amendment) 


IFRS 10, IFRS 12, IAS 28 - Investment Not applicable 
entities: applying the Consolidation 
Exception (amendment) 


IFRS 11 - Accounting for acquisitions Not applicable 

of interests in joint operations 
TO AN 
.IFRS 14 ~ Regulatory Deferral Accounts... Not applicable 
IFRS 15 - Revenue from Contracts with Not applicable 


Customers (IAS 18 replacement - Revenue 
Recognition and Liabilities Recognition) 


„IFRS 16 and IAS 17 replacement -~ Leases | Immaterial o... 
IAS 1 - Disclosure Initiative (amendment) Immaterial č < 
IAS 16 and IAS 41 - Bearer Plants Not applicable 
(amendment) 
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Standard Impact 


IAS 16 and IAS 38 - Clarification of acceptable Immaterial 
methods of depreciation and amortisation 
(amendment) 


IAS 27 - Equity Method in Separate Financial Not applicable 
Statements (amendment) 


Grant in aid 

Grant in aid is received from the DCMS to fund expenditure on 
freedom of information work, and is credited to the General Reserve 
on receipt. Receipts for the year were £3,731k (2014-15: £3,700k). 


Cash and cash equivalents 

Cash and cash equivalents recorded in the Statement of Financial 
Position (SoFP) and Statement of Cash Flows include cash in hand, 
deposits held at call with banks, other short-term highly liquid 
investments and bank overdrafts. 


Income from activities and Consolidated Fund income 

Income collected under the DPA is surrendered to the DCMS as 
Consolidated Fund income, unless the DCMS (with the consent of the 
Treasury) has directed otherwise, in which case it is treated as Income 
from activities. There are three main types of income collected: 


Data protection notification fees 

Fees are collected from annual notification fees paid by data 
controllers required to notify their processing of personal data under 
the DPA. The Commissioner has been directed to retain the fee 
income collected to fund data protection work and this is recognised 
in the Statement of Comprehensive Net Expenditure as income. At the 
end of each year the Commissioner may carry forward to the following 
year sufficient fee income to pay year end creditors. Any fees in 
excess of these limits are paid over to the Consolidated Fund. 


Civil monetary penalties 

The Commissioner can impose civil monetary penalties for serious 
breaches of the DPA or PECR of up to £500k. A penalty can be 
reduced by 20% if paid within 30 days of being issued. 


The Commissioner does not take action to enforce a civil monetary 
penalty unless and until the period specified in the notice as to when 
the penalty must be paid has expired and the penalty has not been 
paid, all relevant appeals against the monetary penalty notice and any 
variation of it have either been decided or withdrawn, and the period 
for the data controller to appeal against the monetary penalty and any 
variation of it has expired. 


Civil monetary penalties collected by the Commissioner are 
recognised on an accruals basis when issued. They are paid over to 
the Consolidated Fund, net of any early payment reduction when 
received. Civil monetary penalties are not recognised in the Statement 
of Comprehensive Net Expenditure but are treated as an asset in the 
Statement of Financial Position. 
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The amounts recognised are regularly reviewed and subsequently 
adjusted in the event that a civil monetary penalty is varied, 
cancelled, impaired or written off as irrecoverable. Amounts are 
written off as irrecoverable on the receipt of legal advice. Legal 
fees incurred in recovering debts are borne by the ICO. 


Sundry receipts 

The Commissioner has been directed to retain certain sundry receipts 
such as reimbursed travel expenses, conference fees and recovered 
legal costs. This is recognised in the Statement of Comprehensive 
Net Expenditure as income. Conference fee income of £57k has been 
identified separately for the first time this year. The comparative 
figure for 2014-15 of £47k is not considered material and so the 
comparative figures have not been amended. 


The Commissioner has interpreted the FReM to mean that he is 
acting as a joint agent with the DCMS, and that income not directed 
to be retained as Income from Activities falls outside of normal 
operating activities and are not reported through the Statement of 
Comprehensive Net Expenditure, but disclosed separately within the 
notes to the accounts. This included receipts such as bank interest, 
which is paid to the Consolidated Fund. 


1.6 Notional costs 
The salary and pension entitlement of the Information Commissioner 
are paid directly from the Consolidated Fund and are included within 
staff costs and then reversed with a corresponding credit to the 
General Reserve. 


1.7 Pensions 
Past and present employees are covered by the provisions of the 
Principal Civil Service Pensions Scheme (PCSPS). 


1.8 Property, plant and equipment 
Assets are classified as property, plant and equipment if they are 
intended for use on a continuing basis, and their original purchase 
cost, on an individual basis, is £2,000 or more, except for laptop and 
desktop computers, which are capitalised even when their individual 
cost is below £2,000. 


Property, plant and equipment (excluding assets under construction) 
are carried at fair value. Depreciated modified cost is used as a proxy 
for fair value by using appropriate indices published by the Office 

for National Statistics, due to the short length of the useful life of 
information technology and furniture and fittings, and the low values 
of items of plant and machinery. 


At each balance sheet date the carrying amounts of property, plant 
and equipment and intangible assets are reviewed to determine 
whether there is any indication that those assets have suffered an 
impairment loss. If any such indication exists the fair value of the 
asset is estimated in order to determine the impairment loss. Any 
impairment charge is recognised in the Statement of Comprehensive 
Net Expenditure account in the year in which it occurs. 
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Depreciation 

Depreciation is provided on property, plant and equipment on a 
straight-line basis to write off the cost or valuation evenly over the 
asset's anticipated life. A full year’s depreciation is charged in the year 
in which an asset is brought into service. No depreciation is charged in 
the year of disposal. The principal lives adopted are: 


Information technology: between five and 10 years 
Plant and machinery: between five and 10 years 
Leasehold improvements: over the remainder of the property lease 


Intangible assets and amortisation 

Intangible assets are stated at the lower of replacement cost and 
recoverable amount. Computer software licences and their associated 
costs are capitalised as intangible assets where expenditure of £2,000 
or more is incurred. Software licences are amortised over their useful 
economic life which is estimated as four years or the length of the 
contract, whichever is the shorter term. 


Operating leases 

Amounts payable under operating leases are charged to the 
Comprehensive Net Expenditure Account on a straight-line basis over 
the lease term, even if the payments are not made on such a basis. 


Provisions 

Provisions are recognised when there is a present obligation as a 
result of a past event where it is probable that an outflow of resources 
will be required to settle the obligation and a reliable estimate of the 
amount of the obligation can be made. 


Value added tax 

The Information Commissioner is not registered for VAT as most 
activities of the Information Commissioner’s Office are outside of the 
scope of VAT and fall below the registration threshold. VAT is charged 
to the relevant expenditure category, or included in the capitalised 
purchase cost of non-current assets. 


Segmental reporting 
The policy for segmental reporting is set out in note two to the 
Financial statements. 
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2. Analysis of net expenditure by segment 


Data Freedom of 2015/16 

protection information Total 

£7000 £000 £7000 

a e S DE STEEN SEERNES S T a 
o T aT T a ts A E reece ee ee ia a 
Net expenditure Loss 3,750 5883 
Data Freedom of 2014/15 

protection information Total 

£'000 £'000 £'000 
A 
GERE SAGE BERGE Rant cena UNE SEE Os z o 
Net expenditure 208 3,700 3,908 


All expenditure is classed as administrative expenditure. 


The analysis above is provided for fees and charges purposes and 
for the purpose of IFRS 8: Operating Segments. 


The factors used to identify the reportable segments of data 
protection and freedom of information were that the Commissioner's 
main responsibilities are contained within the DPA and FOIA, and 
funding is provided for data protection work by collecting an annual 
registration fee from data controllers under the DPA, whilst funding for 
freedom of information is provided by a grant in aid from the DCMS. 


The data protection registration fee is set by the Secretary of State, 
and in making any fee regulations under section 26 of the DPA, as 
amended by paragraph 17 of Schedule 2 to FOIA, he shall have 
regard to the desirability of securing that the fees payable to the 
Commissioner are sufficient to offset the expenses incurred by the 
Commissioner, the Information Tribunal and any expenses of the 
Secretary of State in respect of the Commissioner of the Tribunal, 
and any prior deficits incurred, so far as attributable to the functions 
under the DPA. 


These accounts do not include the expenses incurred by the 
Information Tribunal or the Secretary of State in respect of the 
Commissioner, and therefore cannot be used to demonstrate that the 
data protection fees offset expenditure on data protection functions, 
as set out in the DPA. 


Expenditure is apportioned between the data protection and freedom 
of information work on the basis of costs recorded in the ICO's 
accounting system. This allocates expenditure to various cost centres 
across the organisation. A financial model is then applied to apportion 
expenditure between data protection and freedom of information on 
an actual basis, where possible, or by way of reasoned estimates 
where expenditure is shared. This model is monitored by the DCMS. 
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Staff numbers and related costs 
(audited) 


Staff costs comprise: 


Permanently 2015/16 2014/15 

employed staff Others Total Total 

£7000 £7000 £7000 £7000 

ne E OTTO ee ela oe S oo 
T ose ee a a ree 
S S oe S See a 
Sub-total 14,125 345 14,470 13,376 
dea in respect of outward (154) pe (154) (64) 
Total net costs 13,971 345 14,316 T3,312 


Included in staff costs above are notional costs of £190k (2014- 

15: £190k) in respect of salary and pension entitlements of the 
Information Commissioner and the associated employers national 
insurance contributions which are paid directly from the Consolidated 
Fund, temporary agency staff costs of £345k (2014-15: £395k) 

as well as the amounts relating to the senior management team 
disclosed in the Remuneration report. 


Average number of persons employed 


The average number of whole time equivalent persons employed 
during the year was: 


Permanently Temporarily 


employed employed 2015/16 2014/15 
P E A E E SEE LT ORL E RE staff Staff. Total Total 
PMCs) inl Ney ee E ee ee 
Agency staff = 9 9 i5 


Total employed 384 9 393 378 


Pension arrangements 

The PCSPS is an unfunded multi-employer defined benefit scheme. 
The ICO is unable to identify its share of the underlying assets and 
liabilities. The Scheme Actuary valued the scheme at 31 March 2007. 
Details may be found in the resource accounts of the Cabinet Office 
Civil Superannuation (www.civilservice.gov.uk/pensions). 


For 2015-16 employers contributions of £2,102k (2014-15: £1,753K) 
were payable to the PCSPS at one of four rates in the range 20-24.5% 
(2014-15 16.7% - 24.3%) of pensionable pay, based on salary bands. 
The Scheme's Actuary reviews employer contributions usually every 
four years following a full Scheme valuation. The contribution rates 
are set to meet the cost of benefits accruing during 2015-16 to be 
paid when the member retires and not the benefits paid during the 
period to existing pensioners. 
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Employers can opt to open a partnership account, a stakeholder 
pension with an employer contribution. Employers’ contributions of 
£65K (2014-15: £33K), were paid to one or more of a panel of three 
appointed stakeholder pension providers. Employers’ contributions 
are age related and range from 8% to 14.8% of pensionable pay. 

In addition, employers contributions of £2k (2014-15: £2.5k), 0.5% 
of pensionable pay, were payable to the PCSPS to cover the cost 

of future provision of lump sum benefits on death in service and ill 
health retirement of these employees. 


Contributions due to partnership pension providers at the 
Statement of Financial Position date were £6.6k (2014-15 £nil). 
Contributions prepaid at the date were £nil (2014-15 £nil). 
Pension costs include notional employers’ contributions of £34K 
(2014-15: £34K) in respect of notional costs in respect of 

the Commissioner. 


No individuals retired early on health grounds during the year. 


4. Other expenditure 


2015/16 2014/15 
£'000 £000 £7000 £7000 
ane ee ce eer ee 
e a E ENTIN e 
E a ee A E Eee, 
ae a : a ae a S T Ny Meat ren oe) ee i S bre ear ee Aree a E en eee 
o a E NER 
E D me me, RES SNE REESE LT SERENE T Peta SS SEN De. å E R abad 2 o AS 
e OO : Fe crea asta L 
S T 
S T 
eae eck I Ae enna ne 
ES a Si a 7 : - E SENSE ESS A oe cert eave Sr E S S Å i a Eee rere 
nae oe er S E A 
od S : oe EHEC DE BESS i TE A eae SON cre AR PR i i te ees S i ei ARN. i É T 
6,724 6,455 

Non-cash items 
A a 
EEN EEN 
RER ERE SEN ERE S S 
2,162 17790 
Total expenditure 8,886 8,245 


78 Notes to the accounts 


5a. 


5b. 


Annual Report 2015/16 Financial statements (C) 


Income 


Income from activities 


2015/16 2014/15 
£'000 £'000 
Fees 17,403 17,519 
Sundry receipts 416 130 
Total 17,819 17,649 
Consolidated Fund income 
2015/16 2014/15 
£'000 £'000 £000 £000 
Peco ye ee a es rs a a 
Collected under the Data Protection Act 1998 18,31i TTT i7sig TT 
Be KEE oe Dune 
e ca eee, o T NR ERE, leis T 
908 = 
a 
dio AO i S (ag S GG 
Eariy payment reductions” AMO 
Repaid following a successful appeal io eeeeenn 
Cancelled after successful appeals — — 
Impairments (815) (205) 
1,572 757 
A O ee 
Receipts under the Proceeds of Crime A ee 
EIS 
Bank interest received T aora E E 
Recovered legal fees A E ee 
Reimbursed travel expenses. ii A 
Conference A NDOSARS 
Income receipts under the Data Retention 
and Investigatory Powers Act BD 7 
416 180 
a (130) 
OC CCC CCC ee re er oe 
LO a AS A A O, > 
Balances held at the start of the year i 315 oe DDS 
Income payable to the Consolidated Fund BO. 807 
Payments to the Consolidated Fund (828) (1,430) 
Balances held at the end of the 1,967 315 


year (note 11) 
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As set out in note 1.5, income payable to the Consolidated Fund does 
not form part of the Statement of Comprehensive Net Expenditure. 
Amounts retained under direction from the DCMS with the consent 
of the Treasury are treated as Income from Activities within 

the Statement of Comprehensive Net Expenditure. The amounts 
receivable at 31 March 2016 were £1,059k (2014-15:£143k) 

and the amounts payable were £1,059k (2014-15:£315k). 


6. Property, plant and equipment 


Assets 

Information Plant and Leasehold under 
technology machinery improvements construction Total 
£7000 £000 £7000 £7000 £000 
oe e = ne er Så TT 
E R eee S eo a i a EE E See rener i an 
melse a a E A a G AS SE E E Be 
o or aa De Reser en Lee = 
Seer ST En A A ES o 
a erie a Woe eee? j E i oe REED meee ee 
At a1 March 2016 Ae T A eA l a aal 

Depreciation 

a E A aye E a Sd Z cee Eee oe 
a E a PAG ar ete eae A REE o BENN: : ol 
ae ante ea DEERE an A ELSE SEER e a 
At 31 March 2016 6,945 140 2,022 — 9,107 
NES boor valusat 728 37 342 297 1,404 


31 March 2016 


Asset financing 
Owned 728 37 342 297 1,404 


Net book value at 

31 March 2016 728 67 342 297 1,404 
Property, plant and equipment (excluding assets under construction) 
are re-valued annually using appropriate current cost price indices 
published by the Office for National Statistics. 


Included above are fully depreciated assets, in use with a gross 
carrying amount of £5,113k (2014-15: £26K). 


During the year we wrote off IT assets to the value of £1,482k with 
a carrying value of £340k resulting in a loss of the same. The assets 
are no longer in use. 
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Assets 

Information Plant and Leasehold under 
technology machinery improvements construction Total 
£'000 £'000 £'000 £000 £000 
ee E S Så nae os ER ROTA GT RENCE CT LEE HE RG E San Ue T Arc sete aa erence RN TT 
eee e ene MENE OET SS ener eee i En Se SEE ASR Te RE a 
BS a O EN EH DERE = 
Pe eg a aaa TER eee i BR Se EEN ANRT = 
O ge E = 
SR ere en enn Se Ree ore eae ee cere rata i 
At 31 March 2015 SoZ iy il 2,353 = 11,096 

Depreciation 

eae Papert eile Mand R F PEE NA SANSER O eae See o 
ee eRe) tenet eee NESS RENE rel SS Serer reer i ee ee ERA E = 
Aa S S 
o E A RO See errs = a 
At 31 March 2015 7,443 144 1,680 = 9,267 
Net book value at 1,129 27 673 = 1,829 


31 March 2015 


Asset financing 


Net book value at 
31 March 2015 
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Te 


Intangible assets 


Software Assets under 


licences construction Total 
£7000 £000 £7000 
ae A E e ee E S T T SENER ERR SE Ae oy rare ERE CERES ne ET 
Remee S Are AE aCe MT Nt ac te ee ee et a es ea 00 
O. AA: S 
ae T pe E oe 
a ie TEN RG Tai ee ae S ES 
At a1 L VI O 
Amortisation 
hee ee L T 
S O 0 age gras ees 
ae T i ~ A a 
At 31 March 2016 2,314 — 2,314 
Net book value at 31 March 2016 1,056 — 1,056 
Asset financing 
a BESES SEES SE NA TES TEE EN le O RT or E A 
BUSEY A E A E OO 


Included above are fully depreciated assets, in use with a gross carrying amount of 
£33k (2014-15: £56k). 


Cost or valuation 


At 01 April 2014 3,036 — 3,036 
EL RR ES S i S 
e ane Pee oa ee tere daa) 
e tee ea en races eigen ae ern N 7 
T 
Amortisation 

a O E ERE E Or eee E 
pe BS E ta ee) ne Con oe TE eo PRR! Te uk ea 
S we ma eee age re eee den 
At 31 Manch AAA A ee 
Net book value at 31 March 2015 1,801 — 1,801 


Assets financing 


Owned 1,801 — 1,801 
Net book value at 31 March 2015 1,801 = 1,801 
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8. Financial instruments 


As the cash requirements of the Information Commissioner are met 
through fees collected under the DPA and grant in aid provided by the 
DCMS, financial instruments play a more limited role in creating and 
managing risk than would apply to a non-public sector body. 


The majority of financial instruments relate to contracts to buy non- 
financial items in line with the Information Commissioner's expected 
purchase and usage requirement and the Information Commissioner 
is therefore exposed to little credit, liquidity or market risk. 


The Information Commissioner does not face significant medium to 
long-term financial risks. 


9. Trade receivables and other 
current assets 


31 March 31 March 
2016 2015 
£'000 £'000 
An shee ES : G mee S SELE KER T 
o e re ak RR OR i ae ee 
eae ee OA ao Sa E a o E 
ee RR ee 
Sub-total 1332 1,261 
a FASTER E E E E E a ET 
ee ee ECan ete ere eer es S 
E tats NED SEES ANS ERE ESS ES HON CNET SEES RES Et FEER tee ON GELSE SE Ate E Gee ee ae 
2,391 1,404 

Split 
O a T E Ae ig 
a ee ee 
ee eee a ee Ce arr SEGS SE era Menace eRe Reno eg ee 
2,391 1,404 
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10. Cash and cash equivalents 


31 March 31 March 


2016 2015 
£7000 £000 
Balance at 01 April 21099, 21908 
eee 109 (204) 
Balance at 31 March 2,808 2,699 
Split 
ee: i : i SR e Pa : Sa ASAS PLOT YE E P o 
o 2 E a a a E A T o e n a S 
Balance at 31 March 2,808 2,699 
11. Trade payables and other 
current liabilities 
31 March 31 March 
2016 2015 
£000 £000 
pees ee Ailing ce oe S SER oe BEA DNA Ep OL SE DSE SET RARER ae AN 
FG a a en ae ERE eager SA 
Kl OR SE SER SE REESE ED] T Se 
eo eee er eee å as 
E T å FÉ 
Sub-total iL alte 2,006 
ae ee = en i re an Py ree Ce i i S 3 
Balance at 31 March 3,485 2,321 
Split 
BE E a o Oe Se eter ee ree A 3 A ras : dE 
e lO E E Fe 
S O TRE a 
Balance at 31 March 3,485 27320 


The amount payable to the sponsor department represents the 
amount which will be due to the Consolidated Fund when all of 
the income due is collected. 
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Provision for liabilities and charges 


Dilapidations 
2015/16 2014/15 
£'000 £'000 
ae ER a ie FASE KR SE aaa a å E S ees 
peau eer Seen e a ARR Hore ree nee Bo cone eA eee oe ee L 
S T oe 
Balance at 31 March 605 510 
Analysis of expected timing of 
discounted flow: Dilapidations 
2015/16 2014/15 
£000 £7000 
epee hacen vce E S S 
REE See ee ee ee O 
five years EN 0 
aa MEE E e 
Balance at 31 March 605 510 


Dilapidations provision 

The lease on the ICO main premises at Wycliffe House, Wilmslow 
expires on 1 January 2017. At this time there is a possibility that 
the ICO could move premises and the landlord would then have a 
claim for dilapidations. A provision has been made based upon the 
maximum that may be due from an assessment by GVA, commercial 
property advisers, dated January 2013 and updated this year to 
current prices. 


The ICO also occupies government properties in Edinburgh and Cardiff 
under Memorandum of Terms of Occupation agreements ending 2016 
and 2024 respectively. Under these agreements, the ICO may have 
dilapidations liabilities at the end of the term of occupation, however, 
these are considered to be immaterial. 


Early departure costs 

The additional cost of benefits, beyond the normal PCSPS benefits in 
respect of employees who retire early, are provided for in full when 
the early departure decision is approved by establishing a provision 
for the estimated payments discounted by the Treasury discount rate 
of 1.37% (2014-15: 1.3%). The estimated payments are provided 
by MyCSP. 


Capital commitments 


There were no capital commitments in the year ending 31 March 2016 
(2014-15 £nil). 


Early departure costs 


2015/16 2014/15 
£'000 £'000 
di eer arene ee i E 
S i O 
(9) (8) 

63 62 


Early departure costs 


2015/16 2014/15 
£'000 £'000 

9 = 

54 38 
Sa E 
63 62 
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14.Commitments under operating leases 


The ICO leases properties in Wilmslow and Belfast under non- 
cancellable operating lease agreements. The lease in Wilmslow expires 
on 1 January 2017 and Belfast on 4 February 2018. Both leases have 
no option to purchase and no specific renewal terms. Renewals are 
negotiated with the lessor in accordance with the provisions of the 
individual lease agreements. 


31 March 31 March 
2016 2015 
Total future minimum lease payments 000 one 
under operating leases are: 
Buildings 
Not later than one year 571 727. 
Later than one year and not later than 22 564 
five years 
Later than five years = = 
593 1,291 


The minimum lease payments are determined from the relevant lease 
agreements and do not reflect possible increases as a result of market 
based reviews. The lease expenditure charged to the Statement of 
Comprehensive Net Expenditure (SoCNE) during the year is disclosed 
in note four. 


15. Related party transactions 


The Information Commissioner confirms that he had no personal 
business interests which conflict with his responsibilities as 
Information Commissioner. 


During the financial year 2015-16, until 17 September 2015 the MOJ, 
and the DCMS thereafter, was a related party to the Information 
Commissioner. 


During the year no related party transactions were entered into, with 
the exception of providing the Information Commissioner with grant 
in aid and remitting receipts collected on behalf of the Consolidated 
Fund. Details of the Commissioner’s remuneration and pension 
entitlement are disclosed in the remuneration report earlier in the 
document and note 3 to the Financial Statements. 


None of the key managerial staff or other related parties has 
undertaken any material transaction with the Information 
Commissioner during the year. 


86 Notes to the accounts 


Annual Report 2015/16 Financial statements (C) 


16. Contingent Liabilities 


There are no contingent liabilities at 31 March 2016 (2015: none). 


17. Events after the reporting period 


Christopher Graham's tenure as Information Commissioner ended on 
28 June 2016. Simon Entwisle, as Deputy Information Commissioner, 
took over the responsibilities of the Information Commissioner from 
29 June pending the newly appointed Information Commissioner, 
Elizabeth Denham, taking up post. 


The results of the EU referendum are now known, and whilst there will 
be an impact on data protection regulation from the EU referendum 
result, the current data protection regulatory regime was to remain 
in place until EU data protection reforms were implemented in May 
2018. This means that for the next financial year at least there are not 
expected to be any major changes in UK data protection regulation 
and the role of the ICO. 


There were no other events between the Statement of Financial 
Position date and the date on which the accounts were authorised for 
issue, which is interpreted as the date of the Certificate and Report of 
the Comptroller and Auditor General. 


The Accounting Officer authorised these financial statements for issue 
on 28 June 2016. 
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